SANDBOX(7) BSD Miscellaneous Information Manual SANDBOX(7)
NAME
sandbox -- overview of the sandbox facility
SYNOPSIS
#include <sandbox.h>
DESCRIPTION
The sandbox facility allows applications to voluntarily restrict their access to operating system resources. This safety mechanism is
intended to limit potential damage in the event that a vulnerability is exploited. It is not a replacement for other operating system access
controls.
New processes inherit the sandbox of their parent. Restrictions are generally enforced upon acquisition of operating system resources only.
For example, if file system writes are restricted, an application will not be able to open(2) a file for writing. However, if the applica-
tion already has a file descriptor opened for writing, it may use that file descriptor regardless of restrictions.
SEE ALSO
sandbox-exec(1), sandbox_init(3), sandboxd(8)
Mac OS X January 29, 2010 Mac OS X
