Search code examples
macossecuritysandboxdeprecated

How to sandbox third party applications when `sandbox-exec` is deprecated now?

I've noticed that in the newest MacOS the sandbox-exec command is deprecated. According to it's manual:

The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide. [...]

Moreover, a few commands were removed, like sandbox-simplify. Also, it seems that the trace function is not working anymore, the following config just does not produce output anymore (while it did in earlier versions):

(version 1) 
(debug all)
(trace "/tmp/trace.sb")
(deny default)

My question is, what is the "new" way of sandboxing third-party apps? I'm not asking this question from the perspective of a developer. I'm asking it as a power user who wants to add additional sandboxing limits to apps I don't trust.

Solution

  • While Apple claims this older style of sandboxing via profiles (sometimes called "Seatbelt") is deprecated, it's still used heavily across macOS by both Apple and third-party developers as of 2020. You can find sandboxing profiles in various places such as:

    The new approach is the similarly-named App Sandbox feature (more details in the design guide). This newer sandboxing is controlled by "entitlements", which are various flags an app developer can set as part of the code signature when building the app. Internally, it makes use of the older sandboxing profile system above by applying the profile /System/Library/Sandbox/Profiles/application.sb during app startup. App Sandbox is much more limited than the full profile system, relying only on a few flags and lists, which can't offer the same flexibility as using profiles directly. As far as I know, there's no way to control this newer system as a user, since you'd needed repackage and resign an app to do so.

    As a user, sandboxing profiles for sandbox-exec are still your main and only option on macOS. While it may say deprecated, it doesn't look like they are going away any time soon either, since it's still widely used in both profile form and as an internal layer for the newer App Sandbox feature.