• caglararli@hotmail.com
  • 05386281520

Native OS X sandbox profile to control network access (IP/host-based)

Çağlar Arlı      -    15 Views

Native OS X sandbox profile to control network access (IP/host-based)

On Mac OS X, is it possible to limit an application's accessible hosts by using sandbox-exec?

I can easily do it via a firewall app, but I would prefer to do it via the native sandbox mechanism in certain cases.

So far I've tried by using something like this in the sandbox profile:

(allow default)
(deny network-inbound)
(deny network-outbound)
(allow network-outbound (remote ip "10.0.1.1:443"))

but I get errors when I try to run sandbox-exec:

<snip>: host must be * or localhost in network address

There is no official documentation for the native OS X sandbox as far as I know, and the examples included in /usr/share/sandbox and /System/Library/Sandbox/Profiles/ don't have anything similar to what I'm trying to do.