Sandbox on Mac OS

/System/Library/Sandbox/Profiles/system.sb

#include Allows applications to voluntarily restrict their access to operating system resources. This safety mechanism is intended to limit potential damage in the event that a vulnerability is exploited. It is not a replacement for other operating system access controls.

New processes inherit the sandbox of their parent. Restrictions are generally enforced upon acquisition of operating system resources only. For example, if file system writes are restricted, an application will not be able to open(2) a file for writing. However, if the application already has a file descriptor opened for writing, it may use that file descriptor regardless of restrictions.

SEE ALSO sandbox-exec(1), sandbox_init(3), sandboxd(8) ^‡ indicates a prefix of com.apple.
All are suffixed by .sb

application	^‡coreservices.appleevents.appleeventsd	^‡reversetemplated
apsd	^‡coreservices.launchservices.launchservicesd	^‡revisiond
bsd	^‡ctkd	^‡rtcreportingd
cloudpaird	^‡datadetectors.sourceaccess	^‡secinitd
colorsyncd	^‡deleted	^‡securitydservice
^‡AirPlayXPCHelper	^‡diagnosticd	^‡speech.speechsynthesisd
^‡AnnotationKit.MigratorService	^‡dprivacyd	^‡storeaccountd
^‡AssetCacheLocatorService	^‡dz.dznd	^‡storeassetd
^‡CMValidateMovieDataReferenceService	^‡efilogin-helper	^‡storedownloadd
^‡CodeSigningHelper	^‡eosauthagent	^‡storeinappd
^‡CommerceKit.TransactionService	^‡icloud.findmydeviced.findmydevice-user-agent	^‡storelegacy
^‡DumpGPURestart	^‡iconservicesagent	^‡storereceiptinstaller
^‡IOAccelMemoryInfoCollector	^‡iconservicesd	^‡storeuid
^‡PIPAgent	^‡logd	^‡suggestd
^‡ReportGPURestart	^‡mtlcompilerservice	^‡swcd
^‡ReportPanicService	^‡navd	^‡tccd
^‡SpeechRecognitionCore.brokerd	^‡neagent	^‡touchbar.agent
^‡SpeechRecognitionCore.speechrecognitiond	^‡nehelper	^‡useractivityd
^‡XprotectFramework.AnalysisService	^‡nesessionmanager	^‡writeconfig
^‡assistantd	^‡networkserviceproxy	^‡xpchelper
^‡audio.coreaudiod	^‡nlcd	com.openssh.sshd
^‡audio.systemsoundserverd	^‡noticeboard.agent	coresymbolicationd
^‡authd	^‡noticeboard.state	directoryserver
^‡avconferenced	^‡notifyd	fmfd
^‡captiveagent	^‡opendirectoryd	opendirectory
^‡cf.appsleepd	^‡pboard	racoon
^‡controlstrip	^‡pictd	system
^‡coreduetd	^‡qtkitserver
^‡corefoundation	^‡qtkittrustedmoviesservice

Recently Modified:

  686 Oct 19  2016 com.apple.diagnosticd.sb
   786 Oct 19  2016 com.apple.logd.sb
  5875 Oct 19  2016 system.sb
  2173 Oct 19  2016 com.apple.captiveagent.sb
  1548 Oct 19  2016 com.apple.ReportPanicService.sb
   796 Oct 20  2016 com.apple.securitydservice.sb
   942 Oct 20  2016 com.apple.authd.sb
   479 Oct 20  2016 com.apple.CodeSigningHelper.sb
  6491 Oct 20  2016 cloudpaird.sb
  1134 Oct 20  2016 com.apple.ctkd.sb
 62342 Oct 28  2016 application.sb
  3248 Oct 29  2016 com.apple.SpeechRecognitionCore.speechrecognitiond.sb
  4365 Nov  4  2016 com.apple.avconferenced.sb
  4600 Nov  6  2016 com.apple.AirPlayXPCHelper.sb
  5365 Nov  8  2016 com.apple.suggestd.sb
   380 Nov 15  2016 com.apple.touchbar.agent.sb
   383 Nov 15  2016 com.apple.controlstrip.sb
  2107 Dec  2  2016 com.apple.eosauthagent.sb

Smallest:cf.appsleepd

(version 1)
(import "bsd.sb")
(deny default)

You can modify /System/Library/Sandbox/Profiles/system.sb to allow lsboxd and coresymbolicationd to get rid of errors. Make a backup of system.sb , add to end a nd reboot.

;;; MDWorker Fix
  (allow mach-lookup
         (global-name "com.apple.ls.boxd")
         (local-name "com.apple.ls.boxd")
         (global-name "com.apple.coresymbolicationd")
         (local-name "com.apple.coresymbolicationd"))

system.sb

  ;;;;;; Common system sandbox rules
(version 1)

;;; Allow registration of per-pid services.
(allow mach-register
       (local-name-prefix ""))

(allow file-read*                                                ;;; Allow read access to standard system paths.
       (require-all (file-mode #o0004)            ;read
                    (require-any (subpath "/Library/Filesystems/NetFSPlugins")
                                 (subpath "/Library/Preferences/Logging")      ; Logging Rethink
                                 (subpath "/System")
                                 (subpath "/private/var/db/dyld")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/share")                 )   )   )   

(allow file-read*                                               ;;; Allow reading internal profiles on development builds
       (require-all (file-mode #o0004)
                    (subpath "/AppleInternal/Library/Preferences/Logging")
                    (system-attribute apple-internal)))

(allow file-read-metadata
       (literal "/etc")
       (literal "/tmp")
       (literal "/var")
       (literal "/private/etc/localtime")   ) 

(allow file-read*                                                 ;;; Allow access to standard special files.
       (literal "/dev/autofs_nowait")
       (literal "/dev/random")
       (literal "/dev/urandom")
       (literal "/private/etc/master.passwd")
       (literal "/private/etc/passwd")  )

(allow file-read*
       file-write-data
;;;;;;
;;;;;; Copyright (c) 2008-2009 Apple Inc.  All Rights reserved.
;;;;;;
;;;;;; WARNING: The sandbox rules in this file currently constitute
;;;;;; Apple System Private Interface and are subject to change at any time and
;;;;;; without notice. The contents of this file are also auto-generated and
;;;;;; not user editable; it may be overwritten at any time.

Developer.Apple