I wrote an sandbox specification file (inspired by files from /usr/share/sandbox
and manuals like this) and now I can launch some app in sandbox with sandbox-exec $path_to_rules /Applications/$appname.app/Content/...
. Fine.
Is there a way to enforce the rules when the app is started in regular way (Finder's "Open with…", etc)?
I thought about replacing the binary inside .app with wrapper script but it will be overwritten after app update and I will need to restore it every time.
Best Answer
Yes, you can change the binary, or even change the Info.plist, but like changing the binary you make will need to do this again each time the app is updated. There's no way to do this without changing the app in a way that won't be overwritten when it's updated.
You can automatically make your changes with a Launch Agent.
Save the following in
~/Library/LaunchAgents
ascom.yourname.youragent.plist
, then runlaunchctl load ~/Library/LaunchAgents/com.yourname.youragent.plist
.The above script will watch the
WatchPaths
for any modifications (in this case, it's watching the binary for an app) and will runcp
to copy your binary to the app in /Applications.