I am trying to run a process in my terminal but I don’t trust the application that much.
Is there is a way to run that application with just read permission from selected directory?
I am using macOS.
Advertisement
Answer
As knittl told, you can use chroot for making jail.
For the more complex things, MAC have MAC, (mean OS X have Mandatory Access Control), what allow specify what processes can do and what cannot. This implemented with the sandbox mechanism, what is extremely powerful and fine grained.
you need setup the sandbox, so:
- man sandbox
- man sandbox-exec
but these are unfortunately not very helpful ;(
Basically, you need setup a profile for the sandbox. Example profiles are in the /usr/share/sandbox/*.
The best what you can do, google for “os x sandbox”.
As i told above – here is no good docs, probably because it is currently not in final stage. 🙁 You can experiment with it (especially with the debug mode). Anyway, these links should help a bit:
Your case is simple enough (IMHO), so will be enough enable the exec-process for your program, enable read and deny write to regex “/*” (everywhere). Maybe, deny network.
I’m not a sanbox expert, so YOU must experiment – but try to the start with something like:
(version 1) (debug deny) (allow default) (allow process*) (deny network*) (allow file-read-data file-read-metadata (regex "^/.*")) (deny file-write* (regex "^/.*")) (import "bsd.sb")
so, allow execute programs, deny networking, allow read and deny write… TEST first!