MacOS – How to enforce sandbox rules for the particular app

macossandboxSecurity

I wrote an sandbox specification file (inspired by files from /usr/share/sandbox and manuals like this) and now I can launch some app in sandbox with sandbox-exec $path_to_rules /Applications/$appname.app/Content/.... Fine.

Is there a way to enforce the rules when the app is started in regular way (Finder's "Open with…", etc)?

I thought about replacing the binary inside .app with wrapper script but it will be overwritten after app update and I will need to restore it every time.

Best Answer

Yes, you can change the binary, or even change the Info.plist, but like changing the binary you make will need to do this again each time the app is updated. There's no way to do this without changing the app in a way that won't be overwritten when it's updated.

You can automatically make your changes with a Launch Agent.
Save the following in ~/Library/LaunchAgents as com.yourname.youragent.plist, then run launchctl load ~/Library/LaunchAgents/com.yourname.youragent.plist.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.yourname.youragent</string>
        <key>OnDemand</key>
        <true/>
        <key>Program</key>
        <string>cp</string>
        <key>ProgramArguments</key>
        <array>
            <string>/Users/grgarside/test/MyApp</string>
            <string>/Applications/MyApp.app/Contents/MacOS/</string>
        </array>
        <key>WatchPaths</key>
        <array>
            <string>/Applications/MyApp.app/Contents/MacOS/MyApp</string>
        </array>
    </dict>
</plist>

The above script will watch the WatchPaths for any modifications (in this case, it's watching the binary for an app) and will run cp to copy your binary to the app in /Applications.

Related Question