(version 1) (trace "/tmp/traceout.sb")Then
sandbox-exec -f trace.sb binary_to_be_sandboxed sandbox-simplify /tmp/traceout.sb > ./tracesimple.sbSimplify crunches down the verbose log into a more compact profile. Edit it (you especially want to remove any spurious dtrace lines that are artifacts of the capture process) and run the binary in its sandbox:
sandbox-exec -f tracesimple.sb binary_to_be_sandboxedThis blog has a simple shell script to automate the above process, but you probably want to manually inspect and edit your profile before using it for real.
You can see a bunch of built-in sandboxes in
/usr/share/sandboxand you can view which running processes are sandboxed by adding the sandbox column to the activity monitor gui.