Meet Mac's "sandbox-exec"

I was working on something to block outgoing connections for one particular app only. And I use a mac, leopard… the first place I went to look was System Preferences -> Security -> Firewall pane. And I was disappointed to find no “Block Outgoing Connections” It can only block incoming connections. Anyway…

Then I met sandbox-exec :) It runs apps in a sandbox, which you can define to restrict access to different resources, network, file-systems etc Here’s a simple sandbox file which denies network access…


(version 1)
(allow default)
(deny network*)

Running sandbox-exec with the above file will deny all network access to your app, both outgoing and incoming. Here’s a screenshot example showing running bash with and without it:


$ ping -t3 google.com
PING google.com (74.125.67.100): 56 data bytes
64 bytes from 74.125.67.100: icmp_seq=0 ttl=49 time=368.312 ms
64 bytes from 74.125.67.100: icmp_seq=1 ttl=49 time=318.240 ms
64 bytes from 74.125.67.100: icmp_seq=2 ttl=49 time=319.793 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 318.240/335.448/368.312/23.247 ms
$ 
$
$ cat block-network.sb 
(version 1)
(allow default)
(deny network*)
$ 
$ sandbox-exec -f block-network.sb /bin/bash 
$ ping -t3 google.com
bash: /sbin/ping: Operation not permitted
$ ping -t3 yahoo.com
bash: /sbin/ping: Operation not permitted
$ ping -t3 apple.com
bash: /sbin/ping: Operation not permitted
$ exit
exit
$ ping -t3 google.com
PING google.com (74.125.67.100): 56 data bytes
64 bytes from 74.125.67.100: icmp_seq=0 ttl=49 time=321.997 ms
64 bytes from 74.125.67.100: icmp_seq=1 ttl=49 time=321.350 ms
64 bytes from 74.125.67.100: icmp_seq=2 ttl=49 time=321.676 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 321.350/321.674/321.997/0.264 ms
$

If you want to write more sophisticated sandbox files, you should probably check out the files present in /usr/share/sandbox/

Enjoy…

Published 26 June 2009
comments powered by Disqus