MacOS has a construct in Sandbox function which can enable you to however doesn’t precisely have the identical performance as Sandboxy.
This Paolo Fabio Zaino’s Weblog submit from 2015 explains find out how to run Functions in a Mac OS X sandbox. He summarizes it this manner:
by utilizing sandboxing, you may limit entry an utility can need to working system assets like filesystem or community and so forth…
Quoting his Weblog Publish:
Easy methods to sandbox an utility?
To start with, to let Mac OS X to know which assets your utility
requires to having the ability to run correctly we have to create a sandbox
configuration file. This exercise would require a while and testing
as a result of every utility has completely different necessitiesRight here is an instance (change MyApp along with your utility title):
;; That is my first sandbox configuration file! (model 1) (deny default) ;; Let's permit file learn and write in particular places and never ;; throughout my filesystem! ;; Please observe you may add extra (regex "^/Customers/user_name/xxxxxxxxxxx") traces relying ;; on what your MyApp must perform correctly. (permit file-write* file-read-data file-read-metadata (regex "^/Customers/user_name/[Directories it requires to write and read from]") (regex "^/Functions/MyApp.app") (regex "^(/personal)?/tmp/")) ;; You may as well add a sperate part for studying and writing information outdoors your ;; user_name account listing. (permit file-read-data file-read-metadata (regex "^/dev/autofs.*") (regex "^/System/Library") (regex "^/Functions/MyApp.app") (regex "^/usr/lib") (regex "^/var") (regex "^/Customers/user_name")) ;; In case your MyApp requires to entry sysctl (in learn) (permit mach* sysctl-read) ;; If you wish to import further guidelines from ;; an current sandbox configuration file: (import "/usr/share/sandbox/bsd.sb") ;; If you wish to resolve during which filesystem paths ;; MyApp is forbidden to write down: (deny file-write-data (regex #"^(/personal)?/and so forth/localtime$" #"^/usr/share/nls/" #"^/usr/share/zoneinfo/")) ;; In case your MyApp desires to run further processes it is be allowed to run solely ;; little one processes and nothign else (permit process-exec (regex "^/Functions/MyApp.app")) ;; In case your MyApp requires community entry you may grant it right here: (permit community*)As soon as we’ve got executed with our sandbox configuration file for our
utility, we will merely execute it utilizing the next command from
the command line:sandbox-exec -f myapp-sandbox-conf /Functions/MyApp.app/Contents/MacOS/MyApp-binThe place myapp is the title of the appliance you wish to run in a
sandbox.If my generic sandbox file shall be too generic for you and also you need
extra sensible examples (already applied) then run your terminal
utility and take a look to all of the examples already kindly
supplied by Apple:ls /usr/share/sandboxOn this listing you’ll discover loads of information like
sshd.sbTo look into and have extra perception/tutorial to write down your personal sandbox
configuration file to your particular utility.
