MacOS – Is their any way to control or limit mac applications from creating files and directories that aren’t necessary or are malicious

filesystemmacos

Does anybody know if it is possible to stop certain applications from creating files on your computer but still run them? Maybe something similar to pythons venv but for .App files instead. I'm a little ocd with developers leaving behind unused files on my Mac even if they are harmless.

Stuff like this is why I want an option to do this.
https://www.macobserver.com/tmo/article/how-manage-the-secret-software-that-google-chrome-installs-on-your-mac

I know you can view where files are going to be installed if the program uses a .pkg or installer application, but this doesn't really help if you want to use the program. A good answer for this would be to set up a virtual directory where these programs think they are installing to the system files and if the user isn't happy with the program they can easily nuke the virtual environment and start over fresh.

Does anybody know of anything like this?

Thanks so much

Best Answer

You might want to look into macOS’s built-in sandbox-exec. It can be used to run any command in a “sandbox” in which it can be denied access to the network, prevented from writing files in certain locations and so on.

At the bottom of this answer there’s a sandbox profile “firefox-sandbox” that was featured as an example on Mac OS X hints of running Firefox in a sandbox where its ability to write files is (mostly) limited to your Downloads folder. I should note the hint is a few years old, the sandbox profile may require some fiddling for recent versions of macOS and Firefox, I did not try it. The hint says Firefox can be run in the sandbox through:

sandbox-exec -f firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin

Some other links you may want to look at that cover sandbox-exec:

Here’s the “firefox-sandbox” file:

(version 1) 
(deny default)

(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/user_name/Downloads")
  (regex "^/Users/user_name/Library/Application Support/Mozilla")
  (regex "^/Users/user_name/Library/Application Support/Firefox")
  (regex "^/Users/user_name/Library/Preferences")
  (regex "^/Users/user_name/Library/PreferencePanes")
  (regex "^/Users/user_name/Library/Caches/Firefox")
  (regex "^/Users/user_name/Library/Caches/TemporaryItems")
  (regex "^/Applications/Firefox.app")
  (regex "^(/private)?/tmp/"))

(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/Library/Preferences")
  (regex "^/Library/Internet Plug-Ins")
  (regex "^/Library/PreferencePanes")
  (regex "^/usr/share/icu")
  (regex "^/usr/share/locale")
  (regex "^/System/Library")
  (regex "^/Applications/Firefox.app")
  (regex "^/usr/lib")
  (regex "^/var")
  (regex #"Frameworks/SDL.framework")
; Our Module Directory Services cache
  (regex "^/private/var/tmp/mds/")
  (regex "^/private/var/tmp/mds/[0-9]+(/|$)")
  (regex "^/Users/user_name"))

(allow mach* sysctl-read)

(import "/usr/share/sandbox/bsd.sb")
(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
     #"^/usr/share/zoneinfo/"))

(allow process-exec 
  (regex "^/Applications/Firefox.app"))

(allow network*)
Related Question