macOS's Command-Line Sandboxing Tool: sandbox-exec

Overview

sandbox-exec is a built-in macOS command-line utility that enables users to execute applications within a secure, isolated sandboxed environment. It restricts an application’s access to system resources to only what is explicitly permitted, minimizing potential damage from malicious code or unintended behavior.

Key Insights

• Native macOS Utility: sandbox-exec is a core macOS tool for process isolation.
• Profile-Driven: Sandboxing behavior is defined by a sandbox profile (.sb file) using a Scheme-like (LISP dialect) syntax.
• Explicit Control: Users define precise rules for file, network, and process access.
• Two Core Approaches:
  • Deny by Default: Most secure, permits only explicitly allowed operations.
  • Allow by Default: More permissive, denies only explicitly forbidden operations.
• Debugging Tools: Console.app and log stream are crucial for identifying sandbox violations.
• Power User Tool: While Apple encourages App Sandbox for developers, sandbox-exec offers granular control for security-conscious users and testing environments.
• Limitations: It lacks a GUI, requires iterative testing, and is considered deprecated for formal application development in favor of App Sandbox.

Technical Details

Benefits of Application Sandboxing

Implementing application sandboxing provides significant security and control advantages:

• Malicious Code Protection: Prevents untrusted applications or scripts from accessing sensitive files or transmitting data.
• Damage Limitation: Restricts the impact of vulnerabilities in even trusted applications.
• Privacy Control: Explicitly denies applications access to personal directories like Documents, Photos, or Contacts.
• Development Testing: Offers a controlled environment for developers to test applications with limited permissions.
• Resource Restriction: Beyond security, it can limit an application’s resource consumption or network access.

Getting Started with sandbox-exec

Using sandbox-exec involves creating a sandbox profile, which is a configuration file defining the rules for the secure environment.

Basic Syntax:

sandbox-exec -f profile.sb command_to_run

Here, profile.sb contains the rules, and command_to_run is the application to execute within those constraints.

Understanding Sandbox Profiles

Sandbox profiles utilize a Scheme-like syntax, grouping expressions with parentheses.

Basic Structure:

• Version Declaration: (version 1)
• Default Policy: (deny default) or (allow default)
• Specific Rules: Expressions allowing or denying operations.

Rule Targeting: Rules can target resources using:

• Literal Paths: (literal "/path/to/file")
• Regular Expressions: (regex "^/System")
• Glob Patterns: (subpath "/Library")

Fundamental Sandboxing Approaches

Two primary philosophies guide sandbox profile creation:

1. Deny by Default (Most Secure) This approach denies all operations by default and explicitly allows only essential ones. It is ideal for untrusted code but requires meticulous configuration.

   (version 1)
   (deny default)
   (allow file-read-data (regex "^/usr/lib"))
   (allow process-exec (literal "/usr/bin/python3"))
   

2. Allow by Default (More Permissive) This approach allows all operations by default, with specific exclusions for risky actions. It is simpler to implement but less secure, as it relies on anticipating all potential threats.

   (version 1)
   (allow default)
   (deny network*)
   (deny file-write* (regex "^/Users"))
   

Practical Examples

Sandboxed Terminal Session

Create a terminal session that cannot access the network or personal directories.

terminal-sandbox.sb:

(version 1)
(allow default)
(deny network*)
(deny file-read-data (regex "^/Users/[^/]+/(Documents|Pictures|Desktop)"))

Execution:

sandbox-exec -f terminal-sandbox.sb zsh

Using Pre-built System Profiles

macOS includes profiles in /System/Library/Sandbox/Profiles for system services, which can be adapted or used directly.

Example:

sandbox-exec -f /System/Library/Sandbox/Profiles/weatherd.sb command

Debugging Sandbox Issues

When applications fail within a sandbox, identifying blocked operations is critical.

Using the Console App

1. Open Console.app (Applications → Utilities → Console).
2. Search for “sandbox” and your application’s name.
3. Look for “deny” entries to identify restricted operations.

Using Terminal for Real-time Logs

Monitor sandbox violations in real-time:

log stream --style compact --predicate 'sender=="Sandbox"'

Filter for a specific application:

log stream --style compact --predicate 'sender=="Sandbox" and eventMessage contains "python"'

These logs detail denied operations, aiding profile refinement.

Advanced Techniques

Creating a Sandbox Alias

Define shell aliases for frequently used sandbox profiles:

# Add to ~/.zshrc or ~/.bash_bash_profile
alias sandbox-no-network='sandbox-exec -p "(version 1)(allow default)(deny network*)"'

# Usage:
sandbox-no-network curl -v https://google.com

Note that this alias might not effectively sandbox all UI applications, as demonstrated by attempts to restrict browser network access.

Importing Existing Profiles

Extend existing profiles by importing them:

(version 1)
(import "/System/Library/Sandbox/Profiles/bsd.sb")
(deny network*)  ; Add additional restrictions

Limitations and Considerations

Despite its capabilities, sandbox-exec has limitations:

• Deprecation: Apple discourages its direct use for developers in favor of the more robust App Sandbox.
• Complexity: Modern applications’ intricate requirements can make comprehensive sandboxing challenging.
• Trial and Error: Effective profile creation often necessitates iterative testing to identify all necessary permissions.
• No GUI: Configuration occurs entirely via command-line and profile editing, unlike App Sandbox’s Xcode integration.
• System Updates: macOS updates may alter sandbox-exec behavior or rule efficacy.

Conclusion

While Apple’s security focus has shifted towards integrated developer tools, sandbox-exec remains a potent utility for power users, security researchers, and developers testing untrusted code. It provides an unparalleled level of granular control and customization over process execution environments. Despite its lack of documentation and potential deprecation, its flexibility for creating finely-tuned security profiles offers benefits beyond typical security solutions, making it a valuable tool for those who master its intricacies.