Here we collect awesome macOS software in various categories.
Update 26 Mar: fixed a small "bug" where I refer to sandbox_exec instead of sandbox-exec. Now we have become very big and different from the original idea. Update 4 Mar: use sandbox-exec -p profile-string instead, to avoid the dependency on an external. Updated 9 Feb: allow read access to /usr/share/zoneinfo for the time to be displayed correctly based on the configured time zone. I hope the simplified explanation and sample rules above help you. However, to sandbox any other application, it's rather involved and poorly documented.
MacOS has an extremely granular sandboxing capability, courtesy of BSD, and is enabled by default for apps from the Mac App Store.
allow mach* sysctl-read - to get to system info in read mode.allow file-read-metadata - without which, no ability to list directories ( ls).allow iokit-open - access to device drivers, required for Core Image and OpenGL.deny default - deny everything by default.I also see Kodi is trying to access /Users/]/Library/Saved Application State// but I was simply too lazy to add it. You might want to change this behaviour, e.g. I didn't test everything, and I intentionally did not want Kodi to access my filesystem. Via Activity Monitor, double click on an app and select Open Files and Ports: Add individual allow permissions one at a time, until I get the functionality I expect.And also view the open files and ports in Activity Monitor (screen shot below).Inspect the Kodi log files and via Console,.Run Kodi (which would inevitably fail), and:.
(allow file-write* file-read-data (regex "^/Users/]/Library/Logs" "^/Users/]/Library/Application Support/Kodi"))' /Applications/Kodi.app/Contents/MacOS/Kodi & Manual Sandbox Testing (allow file-read-data (regex "^/Applications/Kodi.app" "^/System/Library/" "^/usr/share/zoneinfo/")) (allow file-read-data (literal "/dev/urandom")) (allow process-exec (regex "/Applications/Kodi.app")) (allow ipc-posix-shm (ipc-posix-name-regex "^AudioIO")) (allow file-read-metadata)(allow mach* sysctl-read) The individual commands can be concatenated into a single line, or you can maintain the line breaks for readability: sandbox-exec -p '(version 1)(deny default) Now, instead of running the application directly, run it via Terminal: sandbox-exec -f kodi.sb /Applications/Kodi.app/Contents/MacOS/Kodiįinally, to create a "shortcut" to sandbox-exec that can be quickly run from Finder / Spotlight, create a file called mand as below. "^/Users/]/Library/Application Support/Kodi")) To run an app sandboxed, first create a file with the set of rules to permit or deny access to system resources, e.g.
Information on sandboxing is rather sparse, but I found two great sources: This goes a long way to securing the system but does not guarantee that you are "protected"! I also installed a Kodi Add-on from an "untrusted source," which sounds dangerous, doesn't it?Įnter, sandbox! My goal was to prevent Kodi from reading my files, and writing files in locations I did not expect. In my case, I wanted to test out Kodi v17.0 "Krypton" Release Candidate 4 (previously XBMC), an open-source, cross-platform media centre software. Here's how to setup a sandbox for an app downloaded from outside the Mac App Store.
The secure sandbox isolates the app and defines access controls, protecting users from malicious code with undesired behaviour. Since 2012, all apps on the Mac App Store must run in an app sandbox, which restricts access to system resources unless explicitly required.