sandbox-exec: macOS’s Little-Known Command-Line Sandboxing Tool

April 17, 2025

What is sandbox-exec?

sandbox-exec There is a built-in macOS command-line utility that enables users to execute applications in a sandboxed environment. In short, it creates a secure, isolated space where applications can run with limited access to system resources – only those you explicitly allow can access.

The concept behind sandboxing is fundamental to modern security: By restricting access to an application, you reduce the potential harm from malicious code or unintended behavior. Think of it as placing an application in a secure room where it can only interact with specific items you place there.

Benefits of Application Sandboxing

Before we dive into the usage, let’s understand why sandboxing matters:

1. Protection against malicious code: If you’re testing an unfamiliar application or script, sandboxing can prevent it from accessing sensitive files or sending data over the network.
2. damage limit: Even trusted applications can have vulnerabilities. Sandboxing limits the potential impact if an application is compromised.
3. privacy control: You can explicitly deny the application access to personal directories such as Documents, Photos, or Contacts.
4. test environment: Developers can test how apps work with limited permissions before implementing formal app sandbox entitlements.
5. resource restrictions: Beyond security, sandboxing can limit an application’s resource consumption or network access.

launch sandbox-exec

using the sandbox-exec There is a need to create a sandbox profile (configuration file) that defines the rules of your secure environment. The basic syntax is:

sandbox-exec -f profile.sb command_to_run

Where? profile.sb It contains rules that define what a sandboxed application can and cannot do, and command_to_run That’s the application you want to run within those constraints.

Understanding Sandbox Profiles

Sandbox profiles use a Scheme-like syntax (a LISP dialect) with parenthesized grouping expressions. The basic structure includes:

• A version announcement: (version 1)
• Default Policy: (deny default) Or (allow default)
• specific rules allowing or disallowing operations

Rules can target specific resources using the following:

• Literal path: (literal "/path/to/file")
• Regular Expression: (regex "^/System")
• Globe Pattern: (subpath "/Library")

See the appendix for a more complete list of available rules

Two fundamental approaches to sandboxing

There are two primary philosophies when creating a sandbox profile:

1. Reject by default (safest)

This approach starts by denying everything else and explicitly allowing only essential operations:

(version 1)
(deny default)
(allow file-read-data (regex "^/usr/lib"))
(allow process-exec (literal "/usr/bin/python3"))

This is the most secure method, ideal for running untrusted code, but requires careful configuration to make the application functional.

2. Allow by default (more permissive)

Alternatively, you can allow everything except specific operations:

(version 1)
(allow default)
(deny network*)
(deny file-write* (regex "^/Users"))

This approach is easier to implement but less secure, because you have to anticipate every potentially risky operation.

practical examples of sandbox-exec in the process

Let’s look at some real-world examples to demonstrate the power of custom sandboxing.

Example: sandboxed terminal session

Create a sandboxed terminal session that cannot access the network:

# Create terminal-sandbox.sb:
(version 1)
(allow default)
(deny network*)
(deny file-read-data (regex "^/Users/[^/]+/(Documents|Pictures|Desktop)"))

# Run a sandboxed terminal
sandbox-exec -f terminal-sandbox.sb zsh

This creates a terminal session that functions normally but cannot access the network or read from your personal directories.

Example: Using Pre-Created System Profiles

macOS includes several pre-built sandbox profiles /System/Library/Sandbox/Profiles: :

# Run a command with the system's no-network profile
sandbox-exec -f /System/Library/Sandbox/Profiles/weatherd.sb command

These system profiles provide configuration for common restriction scenarios and applications. The comments from some of them are quite good so you can use this as a basis for your future profiles.

debugging sandbox issues

When applications fail in the sandbox, determining the cause can be challenging. Here are effective debugging techniques:

Using the Console App

1. Open Console.app (Applications → Utilities → Console)
2. Search for “sandbox” and the name of your application
3. Look for “Deny” lines to identify blocked operations

Using Terminal for Real-Time Logs

For real-time monitoring of sandbox violations:

log stream --style compact --predicate 'sender=="Sandbox"'

To filter for a specific app:

log stream --style compact --predicate 'sender=="Sandbox" and eventMessage contains "python"'

These logs show exactly which operations are being denied, helping you refine your sandbox profile.

Advanced Sandbox Technologies

Creating a Sandbox Alias

For frequent sandboxing, add an alias to your shell configuration:

# Add to ~/.zshrc or ~/.bash_profile
alias sandbox-no-network='sandbox-exec -p "(version 1)(allow default)(deny network*)"'

# Then use it as:
sandbox-no-network curl -v https://google.com

But when I did the same for UI applications it didn’t work for some reason (I can still open Google.com):

sandbox-no-network /Applications/Firefox.app/Contents/MacOS/firefox

Importing an existing profile

You can import and extend existing profiles:

(version 1)
(import "/System/Library/Sandbox/Profiles/bsd.sb")
(deny network*)  # Add additional restrictions

Limitations and Considerations

Despite his power, sandbox-exec There are some limitations to consider:

1. deprecated status: While functional, Apple discourages its direct use in favor of an app sandbox for developers.
2. complex applications: Modern applications often have complex requirements that make comprehensive sandboxing challenging without extensive testing.
3. trial and error: Creating an effective sandbox profile often requires iterative testing to identify all required permissions.
4. no gui: Unlike App Sandbox in Xcode, sandbox-exec There is no graphical interface for configuration.
5. system updates:How major macOS updates may change sandbox-exec actions or which rules are in effect.

While Apple has moved toward a more user-friendly security model, sandbox-exec It remains a powerful tool for those willing to invest the time in learning its complexities. This provides a level of control and customization that GUI-based solutions simply cannot compete with.

For security-conscious users, developers testing applications, or anyone working with potentially untrusted code, sandbox-exec Provides a native macOS solution to create a better security environment. Although it requires knowledge of all its possibilities, despite the lack of documentation, the security benefits make it worth the effort.

the most powerful aspect of sandbox-exec What’s more is its flexibility – you can create custom security profiles tailored to specific applications and use cases, going far beyond the one-size-fits-all approach of most security tools.

what will happen next

If you’re interested in learning more about macOS security tools and technologies, check out Apple’s official documentation on App Sandbox or check out the pre-built sandbox profiles in it. /System/Library/Sandbox/Profiles To see how Apple implements sandboxing for system services