How to build a replacement for sandbox-exec?

The codesign tool allows you to embed entitlements inside a command line tool. I don't know for certain if you can enable the sandbox that way, but there are suggestions on the internet that it is possible. However, I wouldn't advise trying it in this situation. Unless a tool is specifically designed to run in the sandbox, then it probably isn't going to work properly. A better idea is to just install a virtual machine and run these things inside that. You can restrict how much access the VM guest has to the host.

Would these APIs allow me to start and control a virtual copy of my
macOS, to serve like a sandbox?

The Virtualization framework is designed to virtualise Linux. The lower-level Hypervisor framework can be used to virtualise anything, including macOS. However, building a Mac-on-Mac virtualisation tool would require a significant investment on your part.

Are there other solutions that people use?

I use an off-the-shelf virtualisation solution (VMware Fusion, but that specific choice is due to an accident of history).

So I want to say "run this binary, while disallowing file reads and
writes, except for directories X,Y,Z, and disallowing network
connections, except for listening on port 1234."

macOS’s sandbox facilities would be a good match for this but they aren’t supported for third-party development. An app can opt in to the App Sandbox but that’s too general for your purposes. Creating a custom sandbox requires you to craft a bunch of code in the sandbox specification language (a Scheme derivative) and that language is not documented for third-party use.

This, btw, is why sandbox-exec has been deprecated. There’s not much use running a program within a sandbox if there’s no supported way to specify the details of that sandbox.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

A better idea is to just install a virtual machine and run these things inside that. You can restrict how much access the VM guest has to the host.

Do any of these VM products let me run another macOS while not doubling my RAM requirements? In other words can I tell them to share the parts of the system.

Is this what Docker does? I've not yet used it, but it sounds like maybe I want a "container" rather than a full separate VM. ?

I can’t speak to the facilities provided by the various VM products out there, but I can tell you my experience:

• I run macOS as a guest on VMware Fusion and have done so ever since it was introduced as a supported option (prior to 10.7 this meant running macOS Server).

• I’ve historically allocated 2 GB to the guest and performance was just fine.

• For recent releases of macOS (guest) I’ve bumped that to 4 GB.

• I recently updated to a new Mac and I spec’d that to 32 GB so that I wouldn’t have to worry about this in the future.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Do any of these VM products let me run another macOS while not doubling my RAM requirements? In other words can I tell them to share the parts of the system.  

No. That's how they work. If you have a modern Mac with 16 GB RAM and an SSD, then you won't have any problem. That is really the minimum requirements just to run Xcode anyway. So there is no reason for a Mac developer not to use VMs. The biggest problem is disk space because a Mac VM with a modern operating system will take about 40 GB of storage.

Another problem is system stability and system modifications. I use Parallels Desktop from the Mac App Store. It runs great and no kernel extensions are required. I was lucky enough to get it when it first came out, so I'm running it for free. You will have to pay a subscription. (In all fairness, I do test each update to see if it is any better than the free version I have. Haven't upgraded yet. The Mac App Store version 1.3.3 has been rock-solid. It is one of the few products I can't recommend strongly enough. The current version is good too, but I wasn't able to get my 10.9 VM working in version 1.5. That might not be a problem for you.)

It is really convenient to just reset the VM. (Alas, the snapshot feature is harder to use in version 1.5.)

Is this what Docker does? I've not yet used it, but it sounds like maybe I want a "container" rather than a full separate VM. ?

No. Docker is something else completely. Docker only runs Linux containers anyway. And learning how to use Docker will suck up months of your time.

Thank you both, for the info and clarification.

macOS’s sandbox facilities would be a good match for this but they aren’t supported for third-party development. [...] requires you to craft a bunch of code in the sandbox specification language (a Scheme derivative) and that language is not documented for third-party use.
 
This, btw, is why sandbox-exec has been deprecated. There’s not much use running a program within a sandbox if there’s no supported way to specify the details of that sandbox.

Dang. It would be super useful and give some peace of mind to people who need to run all this semi-trusted software. I also recently upgraded my hardware, but I "only" have 16GB.

Apple wouldn't need to support or document the Scheme-based config language, if we had access to the system calls underneath it people could make their own tools. Maybe something like BSD jail. I guess whatever system calls are used to implement sandbox-exec are also private/hidden. 😞

Apple wouldn't need to support or document the Scheme-based config
language, if we had access to the system calls underneath it

That’s not how the sandbox works. The Scheme code is actually run by the kernel. The (private) system calls involved just load that Scheme code into the kernel.

If you’re curious how this works under the covers you should search the ’net for info (I used the search string darwin sandbox scheme). There’s a tonne of stuff posted by security researches about this. However, as it isn’t documented for third-party use I can’t offer any more details here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Oh wait, I’d be remiss if I didn’t mention a new, and completely different, mechanism for mandatory access control, namely the EndpointSecurity subsystem. A good introduction to this is WWDC 2020 Session 10159 Build an Endpoint Security app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Oh wait, I’d be remiss if I didn’t mention a new, and completely different, mechanism for mandatory access control, namely the EndpointSecurity subsystem. A good introduction to this is WWDC 2020 Session 10159 Build an Endpoint Security app.

I just watched the talk. Awesome! That may actually do it, thank you. I've been in the app dev world, so this stuff is new to me. I'll study more of this and the other topics he mentioned (system extensions, network extensions). It looks like there are some open source projects using it (Google Santa, Sinter).

sandbox-exec is still around. I've created profiles to provide a security layer when building open source software (eg configure; make) They are available at https://github.com/BrianSwift/macOSSandboxBuild

You can always do: ls /usr/share/sandbox and look at the numerous examples to figure out how to specify details ;-).

Right. But the critical point here is that this sandbox language (SBPL) is not documented for third-party use. You can play around with it if you want, but it would be unwise to build a product based on it.

If you have Microsoft Office installed on a macOS, looking at Activity Monitor and going to View -> Columns -> Sandbox you can see Microsoft sandboxed all their apps...wonder how they did it?

That is the App Sandbox, which is a very different thing.

The App Sandbox is configured using entitlements, not SBPL, and that’s fully supported. Indeed, it’s required for apps that ship via the Mac App Store.

For more on the App Sandbox, see:

• App Sandbox

• App Sandbox Design Guide

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"