MacOS – Sandbox on Mac OS X

macossandboxSecurity

I can't use the sandbox-exec command as I expected.

The problem is that I cannot apply a custom profile with the -f switch: I get "operation not permitted" error which I could not trace to anything useful when I searched online for a solution.

$ sandbox-exec -f alfred-profile.sb /Applications/Alfred.app/Contents/MacOS/Alfred

sandbox-exec: /Applications/Alfred.app/Contents/MacOS/Alfred: Operation not permitted

It is, however, possible to run pre-defined profiles with the -n switch. The following example runs successfully (starts Alfred and does not allow the process to access the network).

$ sandbox-exec -n no-network /Applications/Alfred.app/Contents/MacOS/Alfred

Best Answer

What are the contents of alfred-profile.sb? I think you have denied/not explicitly allowed an operation that is required for the app to start. I would check that first, if possible.

Consider two profiles:

  1. A permissive profile, good_profile.sb:

    (version 1)
    (allow default)
    
  2. A restrictive profile, bad_profile.sb:

    (version 1)
    (deny default)
    

Note: a profile just consisting of (version 1) will display the same behavior, as deny is the default sandbox behavior.

Now, when I run the permissive profile on my machine, I get:

sandbox-exec -f good_profile.sb /sbin/ping www.google.com
PING www.google.com (216.58.194.196): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- www.google.com ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

But when I run the restricted profile I get:

sandbox-exec -f bad_profile.sb /sbin/ping www.google.com
sandbox-exec: /sbin/ping: Operation not permitted

In both cases, the profile was loaded, but in the second case the process was denied permissions needed to run and so never started.