Monday, November 7, 2011

HOWTO write an OS X (seatbelt) sandbox profile

To create a simple seatbelt sandbox profile, start with a trace by saving this as trace.sb:

(version 1)
(trace "/tmp/traceout.sb")
Then
sandbox-exec -f trace.sb binary_to_be_sandboxed
sandbox-simplify /tmp/traceout.sb > ./tracesimple.sb
Simplify crunches down the verbose log into a more compact profile. Edit it (you especially want to remove any spurious dtrace lines that are artifacts of the capture process) and run the binary in its sandbox:
sandbox-exec -f tracesimple.sb binary_to_be_sandboxed
This blog has a simple shell script to automate the above process, but you probably want to manually inspect and edit your profile before using it for real.

You can see a bunch of built-in sandboxes in
/usr/share/sandbox
and you can view which running processes are sandboxed by adding the sandbox column to the activity monitor gui.

No comments: