Sandbox on Mac OS X
I can't use the sandbox-exec command as I expected.
The problem is that I cannot apply a custom profile with the -f switch: I get "operation not permitted" error which I could not trace to anything useful when I searched online for a solution.
$ sandbox-exec -f alfred-profile.sb /Applications/Alfred.app/Contents/MacOS/Alfred
sandbox-exec: /Applications/Alfred.app/Contents/MacOS/Alfred: Operation not permitted
It is, however, possible to run pre-defined profiles with the -n switch. The following example runs successfully (starts Alfred and does not allow the process to access the network).
$ sandbox-exec -n no-network /Applications/Alfred.app/Contents/MacOS/Alfred
What are the contents of alfred-profile.sb? I think you have denied/not explicitly allowed an operation that is required for the app to start. I would check that first, if possible.
Consider two profiles:
-
A permissive profile,
good_profile.sb:(version 1) (allow default) -
A restrictive profile,
bad_profile.sb:(version 1) (deny default)
Note: a profile just consisting of (version 1) will display the same behavior, as deny is the default sandbox behavior.
Now, when I run the permissive profile on my machine, I get:
sandbox-exec -f good_profile.sb /sbin/ping www.google.com
PING www.google.com (216.58.194.196): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- www.google.com ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
But when I run the restricted profile I get:
sandbox-exec -f bad_profile.sb /sbin/ping www.google.com
sandbox-exec: /sbin/ping: Operation not permitted
In both cases, the profile was loaded, but in the second case the process was denied permissions needed to run and so never started.