Woj*_*ilo 11 security macos sandbox deprecated
I've noticed that in the newest MacOS the sandbox-exec command is deprecated. According to it's manual:
The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide. [...]
Moreover, a few commands were removed, like sandbox-simplify. Also, it seems that the trace function is not working anymore, the following config just does not produce output anymore (while it did in earlier versions):
(version 1)
(debug all)
(trace "/tmp/trace.sb")
(deny default)
My question is, what is the "new" way of sandboxing third-party apps? I'm not asking this question from the perspective of a developer. I'm asking it as a power user who wants to add additional sandboxing limits to apps I don't trust.
尽管 Apple 声称这种通过配置文件(有时称为“安全带”)进行的旧式沙箱已被弃用,但截至 2020 年,Apple 和第三方开发人员仍在 macOS 上大量使用它。您可以在各个地方找到沙箱配置文件,例如:
/System/Library/Sandbox/Profiles 适用于各种 macOS 系统组件新方法是同名的App Sandbox功能(更多详细信息请参阅设计指南)。这种较新的沙箱由“权利”控制,这是应用程序开发人员在构建应用程序时可以设置为代码签名一部分的各种标志。在内部,它通过/System/Library/Sandbox/Profiles/application.sb在应用程序启动期间应用配置文件来利用上面较旧的沙盒配置文件系统。App Sandbox 比完整的配置文件系统更受限制,仅依赖少数标志和列表,无法提供与直接使用配置文件相同的灵活性。据我所知,作为用户,没有办法控制这个较新的系统,因为您需要重新打包和重新签署应用程序才能这样做。
作为用户,沙盒配置文件sandbox-exec仍然是您在 macOS 上的主要和唯一选项。虽然它可能会说已弃用,但看起来它们也不会很快消失,因为它仍然广泛用于配置文件形式和较新的 App Sandbox 功能的内部层。
| 归档时间: |
|
| 查看次数: |
184 次 |
| 最近记录: |