3

I'm looking for a way to "sandbox" a "daemon" process on MacOS.

On Linux we have various kernel mechanism to restrict what some process can do (Linux namespaces, seccomp. Capabilities in a way, too). On OpenBSD we have chroot and pledge. On FreeBSD we have jails.

I'm aware of the App Sandboxing mechanism that is available on recent version of MacOSX. But as far as I understand, it is supposed to contain a classical GUI App that a user could launch from /Applications.

Here what I have is just a system daemon (= process) that I'd like to sandbox. For example, that daemon would not need to write to the filesystem, or it would not need to use the network, etc. So I'd like the MacOS system to enforce that by prohibiting access to some ressources.

launchd does not help either. With launchd I can 'daemonize' properly my process, reserve some socket ports, but I did not see any way to "encage" the process.

sandbox_init looks more interesting, but it is "DEPRECATED".

That just leaves chroot on MacOS. Of course chroot only prevents some filesystem usage.

Is there another available sandboxing mechanism ?

Stephane Martin
  • 1,612
  • 1
  • 17
  • 25

1 Answers1

4

Chromium does still use sandbox_init(), because they say Apple never provided a suitable replacement. See seatbelt.cc

But I suspect the non-deprecated way to do this is to use codesign to embed a plist of entitlements into the binary. There's not much info online about doing this though, see Mac OS app, sandbox with command line tool? and How to sandbox a command line tool?

You could also use Xcode to create a command-line tool project, enable sandboxing on it, and see what it does.

Brendan Shanks
  • 3,141
  • 14
  • 13