SANDBOX(7) BSD Miscellaneous Information Manual SANDBOX(7)NAME
sandbox -- overview of the sandbox facility
SYNOPSIS
#include <sandbox.h>
DESCRIPTION
The sandbox facility allows applications to voluntarily restrict their access to operating system resources. This safety mechanism is
intended to limit potential damage in the event that a vulnerability is exploited. It is not a replacement for other operating system access
controls.
New processes inherit the sandbox of their parent. Restrictions are generally enforced upon acquisition of operating system resources only.
For example, if file system writes are restricted, an application will not be able to open(2) a file for writing. However, if the applica-
tion already has a file descriptor opened for writing, it may use that file descriptor regardless of restrictions.
SEE ALSO sandbox-exec(1), sandbox_init(3), sandboxd(8)Mac OS X January 29, 2010 Mac OS X
Check Out this Related Man Page
SANDBOX_INIT(3) BSD Library Functions Manual SANDBOX_INIT(3)NAME
sandbox_init, sandbox_free_error -- set process sandbox (DEPRECATED)
SYNOPSIS
#include <sandbox.h>
int
sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
void
sandbox_free_error(char *errorbuf);
DESCRIPTION
The sandbox_init() and sandbox_free_error() functions are DEPRECATED. Developers who wish to sandbox an app should instead adopt the App
Sandbox feature described in the App Sandbox Design Guide.
The sandbox_init() function places the current process into a sandbox(7). The NUL-terminated string profile specifies the profile to be used
to configure the sandbox. The flags specified are formed by or'ing the following values:
SANDBOX_NAMED The profile argument specifies a sandbox profile named by one of the constants given in the AVAILABLE PROFILES sec-
tion below.
The out parameter *errorbuf will be set according to the error status.
RETURN VALUES
Upon successful completion of sandbox_init(), a value of 0 is returned and *errorbuf is set to NULL. In the event of an error, a value of -1
is returned and *errorbuf is set to a pointer to a NUL-terminated string describing the error. This string may contain embedded newlines.
This error information is suitable for developers and is not intended for end users. This pointer should be passed to sandbox_free_error(3)
to release the allocated storage when it is no longer needed.
AVAILABLE PROFILES
The following are brief descriptions of each available profile. Keep in mind that sandbox(7) restrictions are typically enforced at resource
acquisition time.
kSBXProfileNoInternet TCP/IP networking is prohibited. DEPRECATED.
kSBXProfileNoNetwork All sockets-based networking is prohibited. DEPRECATED.
kSBXProfileNoWrite File system writes are prohibited. DEPRECATED.
kSBXProfileNoWriteExceptTemporary File system writes are restricted to the temporary folder /var/tmp and the folder specified by the
confstr(3) configuration variable _CS_DARWIN_USER_TEMP_DIR. DEPRECATED.
kSBXProfilePureComputation All operating system services are prohibited. DEPRECATED.
SEE ALSO sandbox-exec(1), sandbox(7), sandboxd(8)Mac OS X March 9, 2017 Mac OS X
hi guys,
I need to create a sandbox environment on my Debian based LAMP server for PHP/MySql development. Anyone who could point me in the right direction or share their insight? (1 Reply)
Hi guys,
I have a problem in unix shell script for abinitio.
if i'm using air sandbox parameters command to set the parameter
ABC_FILE_MASK to this value ^abc_rules_.csv$ , it is throwing error.
Some one please help me find a solution. (1 Reply)
Is it possible to write an application in "c" that can be used to start other applications and limit a process from using certain Linux APIs ( in this case I want to keep a process from being able to access the internet ) ? I've been reading "The Linux Programming Interface" by Micheal Kerrisk ,... (11 Replies)