![]() ![]() We got a recent bug report saying that network blocking had stopped working ( #10068), which made us fear that the deprecation had finally taken place on Catalina and that our use of this tool was now completely broken. This profile restricts actions so that they can only write to a specific set of directories and so that they cannot access remote network services. (subpath "/Users/cooluser/Library/Developer") (allow network* (remote ip "localhost:*")) (allow network* (local ip "localhost:*")) each compiler invocation) runs with a configuration that looks like this: (version 1) It is still there, however, and the supplemental manual pages like sandbox(7) or sandboxd(8) do not mention the deprecation… which makes me think that the new App Sandboxing feature is built on the same kernel subsystem as sandbox-exec(1).Īnyway, so if this tool is deprecated, why am I writing about it?īecause we still use sandbox-exec(1) in Bazel to implement action sandboxing on macOS. This sandboxing functionality is exposed via the sandbox-exec(1) command-line utility, which unfortunately has been listed as deprecated for at least the last two major versions of macOS. All applications installed via the App Store are subject to sandboxing. ![]() Sandboxing can restrict file system accesses on a path level, control which host/port pairs can be reached over the network, limit which binaries can be executed, and much more. MacOS includes a sandboxing mechanism to closely control what processes can do on the system.
0 Comments
Leave a Reply. |