I can't use the sandbox-exec command as I expected.
The problem is that I cannot apply a custom profile with the -f switch: I get "operation not permitted" error which I could not trace to anything useful when I searched online for a solution.
$ sandbox-exec -f alfred-profile.sb /Applications/Alfred.app/Contents/MacOS/Alfred
sandbox-exec: /Applications/Alfred.app/Contents/MacOS/Alfred: Operation not permitted
It is, however, possible to run pre-defined profiles with the -n switch. The following example runs successfully (starts Alfred and does not allow the process to access the network).
$ sandbox-exec -n no-network /Applications/Alfred.app/Contents/MacOS/Alfred
Best Answer
What are the contents of
alfred-profile.sb
? I think you have denied/not explicitly allowed an operation that is required for the app to start. I would check that first, if possible.Consider two profiles:
A permissive profile,
good_profile.sb
:A restrictive profile,
bad_profile.sb
:Note: a profile just consisting of
(version 1)
will display the same behavior, as deny is the default sandbox behavior.Now, when I run the permissive profile on my machine, I get:
But when I run the restricted profile I get:
In both cases, the profile was loaded, but in the second case the process was denied permissions needed to run and so never started.