Beside the pre-configured profiles, OS X’s sandbox wrapper command
sandbox-exec provides a flexible configuration
syntax that allows one to create a customized sandbox that either blacklists or whitelists specific abilities of the
application executed within.
A sandbox profile defines what a application running inside the sandbox should be able to do. The following example
no-network.sb allows anything except any kind of network access. This might be useful if you want a
application to keep your data private instead of sending it home:
(version 1) (allow default) (deny network*)
deny would deny anything except networking. It’s that easy.
Other abilities include
mach-lookup etc. Some need additional
parameters like file- or folder names.
The following link provides additional examples of sandbox profiles:
Running a command sandboxed
You can run any CLI or desktop application by executing it’s Mach-O binary file through
sandbox-exec. The following
command runs VLC player without network access:
sandbox-exec -f no-network.sb /Applications/VLC.app/Contents/MacOS/VLC
Please note that while the sandbox mechanism is good enough for almost any use case, it still does not provide perfect security, described e.g. here: http://www.coresecurity.com/content/apple-osx-sandbox-bypass