logoalt Hacker News

m132today at 6:30 PM1 replyview on HN

> not much to do with "App Sandboxes" which is a distinct macOS feature

The App Sandbox is literally Seatbelt + Cocoa "containers". secinitd translates App Sandbox entitlements into a Seatbelt profile and that is then transferred back to your process via XPC and applied by an libsystem_secinit initializer early in the process initialization, shortly before main(). This is why App Sandbox programs will crash with `forbidden-sandbox-reinit` in libsystem_secinit if you run them under sandbox-exec. macOS does no OS-level virtualization.

Replies

bdashtoday at 7:08 PM

It is a little more direct than that even. The application's entitlements are passed into the interpretation of the sandbox profile. It is the sandbox profile itself that determines which policies should be applied in the resulting compiled sandbox policy based on entitlements and other factors.

An example from /System/Library/Sandbox/Profiles/application.sb, the profile that is used for App Sandboxed applications, on my system:

  (when (entitlement "com.apple.security.files.downloads.read-only")
        (read-only-and-issue-extensions (home-subpath "/Downloads")))
  (when (entitlement "com.apple.security.files.downloads.read-write")
        (read-write-and-issue-extensions (home-subpath "/Downloads")))
  (when (or (entitlement "com.apple.security.files.downloads.read-only")
            (entitlement "com.apple.security.files.downloads.read-write"))
        (allow process-exec (home-subpath "/Downloads")))