#include
New processes inherit the sandbox of their parent. Restrictions are generally enforced upon acquisition of operating
system resources only. For example, if file system writes are restricted, an application will not be able to open(2) a
file for writing. However, if the application already has a file descriptor opened for writing, it may use that file
descriptor regardless of restrictions.
SEE ALSO
sandbox-exec(1), sandbox_init(3), sandboxd(8)
‡ indicates a prefix of
com.apple.
All are suffixed by .sb
Recently Modified:
application ‡coreservices.appleevents.appleeventsd ‡reversetemplated
apsd ‡coreservices.launchservices.launchservicesd ‡revisiond
bsd ‡ctkd ‡rtcreportingd
cloudpaird ‡datadetectors.sourceaccess ‡secinitd
colorsyncd ‡deleted ‡securitydservice
‡AirPlayXPCHelper ‡diagnosticd ‡speech.speechsynthesisd
‡AnnotationKit.MigratorService ‡dprivacyd ‡storeaccountd
‡AssetCacheLocatorService ‡dz.dznd ‡storeassetd
‡CMValidateMovieDataReferenceService ‡efilogin-helper ‡storedownloadd
‡CodeSigningHelper ‡eosauthagent ‡storeinappd
‡CommerceKit.TransactionService ‡icloud.findmydeviced.findmydevice-user-agent ‡storelegacy
‡DumpGPURestart ‡iconservicesagent ‡storereceiptinstaller
‡IOAccelMemoryInfoCollector ‡iconservicesd ‡storeuid
‡PIPAgent ‡logd ‡suggestd
‡ReportGPURestart ‡mtlcompilerservice ‡swcd
‡ReportPanicService ‡navd ‡tccd
‡SpeechRecognitionCore.brokerd ‡neagent ‡touchbar.agent
‡SpeechRecognitionCore.speechrecognitiond ‡nehelper ‡useractivityd
‡XprotectFramework.AnalysisService ‡nesessionmanager ‡writeconfig
‡assistantd ‡networkserviceproxy ‡xpchelper
‡audio.coreaudiod ‡nlcd com.openssh.sshd
‡audio.systemsoundserverd ‡noticeboard.agent coresymbolicationd
‡authd ‡noticeboard.state directoryserver
‡avconferenced ‡notifyd fmfd
‡captiveagent ‡opendirectoryd opendirectory
‡cf.appsleepd ‡pboard racoon
‡controlstrip ‡pictd system
‡coreduetd ‡qtkitserver
‡corefoundation ‡qtkittrustedmoviesservice
686 Oct 19 2016 com.apple.diagnosticd.sb
786 Oct 19 2016 com.apple.logd.sb
5875 Oct 19 2016 system.sb
2173 Oct 19 2016 com.apple.captiveagent.sb
1548 Oct 19 2016 com.apple.ReportPanicService.sb
796 Oct 20 2016 com.apple.securitydservice.sb
942 Oct 20 2016 com.apple.authd.sb
479 Oct 20 2016 com.apple.CodeSigningHelper.sb
6491 Oct 20 2016 cloudpaird.sb
1134 Oct 20 2016 com.apple.ctkd.sb
62342 Oct 28 2016 application.sb
3248 Oct 29 2016 com.apple.SpeechRecognitionCore.speechrecognitiond.sb
4365 Nov 4 2016 com.apple.avconferenced.sb
4600 Nov 6 2016 com.apple.AirPlayXPCHelper.sb
5365 Nov 8 2016 com.apple.suggestd.sb
380 Nov 15 2016 com.apple.touchbar.agent.sb
383 Nov 15 2016 com.apple.controlstrip.sb
2107 Dec 2 2016 com.apple.eosauthagent.sb
Smallest:cf.appsleepd
(version 1)
(import "bsd.sb")
(deny default)
You can modify /System/Library/Sandbox/Profiles/system.sb
to allow lsboxd
and coresymbolicationd
to get rid of errors. Make a backup of system.sb
, add to end
a nd reboot.
;;; MDWorker Fix
(allow mach-lookup
(global-name "com.apple.ls.boxd")
(local-name "com.apple.ls.boxd")
(global-name "com.apple.coresymbolicationd")
(local-name "com.apple.coresymbolicationd"))
system.sb
;;;;;; Common system sandbox rules
(version 1)
;;; Allow registration of per-pid services.
(allow mach-register
(local-name-prefix ""))
(allow file-read* ;;; Allow read access to standard system paths.
(require-all (file-mode #o0004) ;read
(require-any (subpath "/Library/Filesystems/NetFSPlugins")
(subpath "/Library/Preferences/Logging") ; Logging Rethink
(subpath "/System")
(subpath "/private/var/db/dyld")
(subpath "/usr/lib")
(subpath "/usr/share") ) ) )
(allow file-read* ;;; Allow reading internal profiles on development builds
(require-all (file-mode #o0004)
(subpath "/AppleInternal/Library/Preferences/Logging")
(system-attribute apple-internal)))
(allow file-read-metadata
(literal "/etc")
(literal "/tmp")
(literal "/var")
(literal "/private/etc/localtime") )
(allow file-read* ;;; Allow access to standard special files.
(literal "/dev/autofs_nowait")
(literal "/dev/random")
(literal "/dev/urandom")
(literal "/private/etc/master.passwd")
(literal "/private/etc/passwd") )
(allow file-read*
file-write-data
;;;;;;
;;;;;; Copyright (c) 2008-2009 Apple Inc. All Rights reserved.
;;;;;;
;;;;;; WARNING: The sandbox rules in this file currently constitute
;;;;;; Apple System Private Interface and are subject to change at any time and
;;;;;; without notice. The contents of this file are also auto-generated and
;;;;;; not user editable; it may be overwritten at any time.