MacOS – sandboxing program like Sandboxie for Mac

applicationsmacossandboxSecurity

With Sandboxie for Windows, you are able to run applications that you don't entirely trust in a sandbox; it tracks all files the program creates and modifies, and although the files technically go to the system, you can roll back the changes by deleting this sandbox. This removes all the files created by the program and restores modified files to their previous state. In a way, it's like a system restore when you restore the system to a previous point; in this case, it would only restore the files that the program in question affected, so is much easier to use. At least, that's how I understand it works.

On macOS, there are three(ish) ways to do this I know of:

  1. Make a Time Machine backup, and then install the program. After using it, restore from the backup and everything will come out intact as it was before.
  2. Use a VM to run it in; however, I'd like to avoid doing this as it complicates matters greatly
  3. Use AppCleaner to remove files the program left behind. However, this doesn't do anything for files the program (perhaps maliciously?) modified, and if you install a program with administrative privileges or a package, it most likely will install files in the system that AppCleaner won't be able to get out. Also, I'm not sure if it is 100% accurate for normal apps, anyway.

So is there any way to do this on a Mac without using a VM?

Best Answer

MacOS has a build in Sandbox feature which may help you but does not exactly have the same functionality as Sandboxy.

This Paolo Fabio Zaino's Blog post from 2015 explains how to run Applications in a Mac OS X sandbox. He summarizes it this way:

by using sandboxing, you can restrict access an application can have to operating system resources like filesystem or network etc…

Quoting his Blog Post:

How to sandbox an application?

First of all, to let Mac OS X to know which resources your application requires to being able to run properly we need to create a sandbox configuration file. This activity will require some time and testing because each application has different requirements

Here is an example (change MyApp with your application name):

;; This is my first sandbox configuration file!
(version 1) 
(deny default)

;; Let's allow file read and write in specific locations and not 
;; all over my filesystem!
;; Please note you can add more (regex "^/Users/user_name/xxxxxxxxxxx") lines depending 
;; on what your MyApp needs to function properly.
(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/user_name/[Directories it requires to write and read from]")
  (regex "^/Applications/MyApp.app")
  (regex "^(/private)?/tmp/"))

;; You can also add a sperate section for reading and writing files outside your
;; user_name account directory.
(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/System/Library")
  (regex "^/Applications/MyApp.app")
  (regex "^/usr/lib")
  (regex "^/var")
  (regex "^/Users/user_name"))

;; If your MyApp requires to access sysctl (in read)
(allow mach* sysctl-read)

;; If you want to import extra rules from 
;; an existing sandbox configuration file: 
(import "/usr/share/sandbox/bsd.sb")

;; If you want to decide in which filesystem paths 
;; MyApp is forbidden to write:
(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
   #"^/usr/share/zoneinfo/"))

;; If your MyApp wants to run extra processes it's be allowed to run only
;; child processes and nothign else
(allow process-exec 
  (regex "^/Applications/MyApp.app"))

;; If your MyApp requires network access you can grant it here:
(allow network*)

Once we have done with our sandbox configuration file for our application, we can simply execute it using the following command from the command line:

sandbox-exec -f myapp-sandbox-conf /Applications/MyApp.app/Contents/MacOS/MyApp-bin

Where myapp is the name of the application you want to run in a sandbox.

If my generic sandbox file will be too generic for you and you want more practical examples (already implemented) then run your terminal application and have a look to all the examples already kindly provided by Apple:

ls /usr/share/sandbox

In this directory you’ll find plenty of files like

sshd.sb

To look into and have more insight/tutorial to write your own sandbox configuration file for your specific application.

Related Question