A wrapper around Mac's sandbox-exec that lets you easily run terminals/programs within sandboxes for a slightly safer day-to-day computing experience.
Useful if you don't want every npm/cargo/pip transitive dependency to have full access to your filesystem and network.
See this writeup for a bit more background.
Add bin/ to your path.
-
sbopens a shell in an offline sandbox that can only read/write the current directory and its children. See base.sb for the default sandbox profile. -
sb onlineopens a shell in an online sandbox. -
sb online -- ping www.google.comrunsping www.google.comin an online sandbox and returns. -
In general:
sb foo bar baz -- commandsources profilesfoo.sb,bar.sb,baz.sbfrom the profile directory and runscommandwithin that sandbox.
If an app doesn't work a sanbox, search for "sandbox" in Console.app to see what permissions the app was denied and try granting these permissions via a custom profile.
When running in a sandbox, the following env vars will be defined:
SANDBOX_MODE_NETWORK- online
- offline
I find it helpful to add emoji to my ZSH prompt to remind me of my shell's capabilities:
PROMPT="%(?.%F{green}.%F{red})"
PROMPT="%(?.%F{green}.%F{red})"
if [[ "online" = "${SANDBOX_MODE_NETWORK:-online}" ]]; then
PROMPT+="📡"
fi
if [[ -r "$HOME" ]]; then
PROMPT+="🏠"
fi
PROMPT+=" |%f "deny forbidden-sandbox-reinitis thrown by:- Electron
swift build(thoughswiftstarts a REPL just fine)
- https://www.karltarvas.com/2020/10/25/macos-app-sandboxing-via-sandbox-exec.html
- Take a look around Apple's built-in profiles in /System/Library/Sandbox/Profiles
