SANDBOX(7) Miscellaneous Information Manual SANDBOX(7)

sandboxoverview of the sandbox facility

#include <sandbox.h>

The sandbox facility allows applications to voluntarily restrict their access to operating system resources. This safety mechanism is intended to limit potential damage in the event that a vulnerability is exploited. It is not a replacement for other operating system access controls.

New processes inherit the sandbox of their parent. Restrictions are generally enforced upon acquisition of operating system resources only. For example, if file system writes are restricted, an application will not be able to open(2) a file for writing. However, if the application already has a file descriptor opened for writing, it may use that file descriptor regardless of restrictions.

sandbox-exec(1), sandbox_init(3), sandboxd(8)

January 29, 2010 Mac OS X