Run untrusted application safely through sandbox-exec command

I'm trying to run a potentially untrusted application without the following permissions, through the sandbox-exec command:

file write (to avoid corruption/injection of files)
network (to avoid communicate outside of my network)
process creation (to avoid forks)
access to system data (to avoid system corruption)

Let's suppose I need to run my application MyApp.
I know it's possible to create a profile myprofile.sb such as the following one, but I'm not sure everything is included.

(version 1)
(allow default)
# bullet point #1
(deny file-write*)
(deny file-write-data)
# bullet point #2
(deny network*)
# bullet point #3
(deny process-fork)
(deny job-creation)
(deny process-exec)
# bullet point #4
(deny sysctl-write)
# logging every action possible
(trace "/tmp/myapp_output.sb")
(debug all)

At this point, I run the following command to run MyApp safely:

sandbox-exec -f ./myprofile.sb MyApp

If I run sample commands (e.g. ping google.it or touch /tmp/file.txt), the commands are executed correctly. Why? Am I missing something?

Best Answer

I know it's an old question, but maybe someone finds the answer useful.

The trace operation generates rules in the given output file.

These rules are for operations that would have been denied. (source: Apple Sandbox Guide)

Which means: the operations are not denied by the deny rules if the trace operator is in the profile file.

Best Answer

Related Solutions

Opening a file with command-line bin through Finder

Running shell commands with Automator: how to create a droplet launching an “exec” command

Related Question