11Ağu
Native OS X sandbox profile to control network access (IP/host-based)
On Mac OS X, is it possible to limit an application's accessible hosts by using sandbox-exec?
I can easily do it via a firewall app, but I would prefer to do it via the native sandbox mechanism in certain cases.
So far I've tried by using something like this in the sandbox profile:
(allow default)
(deny network-inbound)
(deny network-outbound)
(allow network-outbound (remote ip "10.0.1.1:443"))
but I get errors when I try to run sandbox-exec:
<snip>: host must be * or localhost in network address
There is no official documentation for the native OS X sandbox as far as I know, and the examples included in /usr/share/sandbox
and /System/Library/Sandbox/Profiles/
don't have anything similar to what I'm trying to do.