├── .gitattributes
├── LICENSE
├── README.md
├── confined.sb
├── download.sb
├── exampleBuilds.md
├── nomach.sb
└── ping.sb


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Brian Swift
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # MacOS Sandbox Build 
  2 | 
  3 | ## What is this?
  4 | 
  5 | MacOS sandbox profiles and instructions for command line (Terminal) building of software in a sandboxed environment.
  6 | 
  7 | ## Audience
  8 | 
  9 | People who build software from the command line on macOS and have security related concerns about what could be occurring in a complex build process.
 10 | 
 11 | ## How do I use it?
 12 | 
 13 | After some setup, software build commands are executed in a restricted environment defined by the `confined.sb` profile using macOS command `sandbox-exec`. Three parameters passed to `confined.sb` specify directories accessible to the build command that are additions to a limited set of standard system directories.
 14 | * `_RX1` : contents are readable and executable, and metadata can be read from its path-ancestors
 15 | * `_RW1`: contents are readable and writable
 16 | * `_TMPDIR`: contents are readable and writable
 17 | 
 18 | The following example steps through building `cmake`.
 19 | 
 20 | ### Download Profiles
 21 | 
 22 | ```
 23 | mkdir -p "$HOME/Development/github"
 24 | cd "$HOME/Development/github"
 25 | git clone https://github.com/BrianSwift/macOSSandboxBuild.git
 26 | ```
 27 | 
 28 | ### Setup `TMPDIR`
 29 | 
 30 | ```
 31 | export TMPDIR="$HOME/Dev Space/sandtmp"
 32 | mkdir -p "$TMPDIR"
 33 | ```
 34 | 
 35 | ### Load `xcrun_db` cache
 36 | Identify tool names in `/usr/bin` that might bounce to an XCode tool (this is intersection of tools in Xcode.app and tools in `/usr/bin`.)
 37 | This annoying setup process only needs to be done once.
 38 | ```
 39 | (ls /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin ; ls /Applications/Xcode.app/Contents/Developer/usr/bin ) | sort -u >/tmp/tool_list_xcode.txt
 40 | ls /usr/bin | sort >/tmp/tool_list_usr_bin.txt
 41 | comm -12 /tmp/tool_list_usr_bin.txt /tmp/tool_list_xcode.txt >/tmp/tool_list_to_cache.txt
 42 | ```
 43 | Execute `xcrun -find` for each tool name to load `xcrun_db`.  Execution in sandbox using  `nomach.sb`  profile causes `xcrun` to fallback to using  `$TMPDIR` for location of  `xcrun_db`, rather than `_CS_DARWIN_USER_TEMP_DIR` returned by `confstr(3)`. `nomach.sb` only denies `mach-lookup` operations. It is not more restrictive because only Apple provided code is executed.
 44 | 
 45 | First pass takes a few seconds per tool, and may get error messages when looking up `DeRez` and `swift`. Second command produces lots of errors, but that is expected because some apps don't recognize `--version`. Final command should only take a fraction of second per tool, and produce no errors.
 46 | ```
 47 | </tmp/tool_list_to_cache.txt xargs -n 1 -I % /usr/bin/time sandbox-exec -f $HOME/Development/github/macOSSandboxBuild/nomach.sb xcrun -find %
 48 | : Some tools like "make" are not cached correctly with "xcrun -find" so also make a pass attempting to run each with "--version". For some tools this is produces an error, but that is OK since we are only trying to get the cache initialized. "true" at end keeps xargs from terminating early when tools exit with error.
 49 | </tmp/tool_list_to_cache.txt xargs -n 1 -I % /usr/bin/time sandbox-exec -f $HOME/Development/github/macOSSandboxBuild/nomach.sb sh -c "% --version ; true"
 50 | : This should not produce errors and each command should only take fraction of a second
 51 | </tmp/tool_list_to_cache.txt xargs -n 1 -I % /usr/bin/time sandbox-exec -f $HOME/Development/github/macOSSandboxBuild/nomach.sb xcrun -find %
 52 | 
 53 | ```
 54 | Verify `xcrun_db` has been created in `$TMPDIR`.
 55 | ```
 56 | ls -l "$TMPDIR/xcrun_db"
 57 | : total 64
 58 | : -rw-------  1 sand  notstaff  31950 Sep  9 21:46 xcrun_db
 59 | ```
 60 | `xcrun_db` is pre-loaded because `xcodebuild` (which is invoked by shim apps in `/usr/bin` does not like trying to determine the developer tools configuration while running in a confined sandbox. After producing `xcrun_db`, `xcodebuild` will be able to lookup paths to real tools whenever a shim is invoked rather than performing a search.
 61 | 
 62 | This setup probably needs to be repeated anytime the default developer tools are changed with `xcode-select`, but that hasn't been tested.
 63 | 
 64 | This may be avoidable if environment variables are set  to specify the SDK and path to XCode tools, but this has not been tested.
 65 | 
 66 | ### Build Something (`cmake`) in Confined Sandbox (with Activity Logging)
 67 | 
 68 | Setup Build and Install tree
 69 | ```
 70 | mkdir -p "$HOME/Dev Space/Net/cmake/"{Src,Build,Dist,Inst}
 71 | ```
 72 | Download `cmake` source distribution (using "download.sb" sandbox)
 73 | ```
 74 | cd "$HOME/Dev Space/Net/cmake/Dist"
 75 | sandbox-exec -D_RW1="$PWD" -f "$HOME/Development/github/macOSSandboxBuild/download.sb" curl -OL https://github.com/Kitware/CMake/releases/download/v3.21.2/cmake-3.21.2.tar.gz
 76 | ```
 77 | Unpack source within confined sandbox
 78 | ```
 79 | cd "$HOME/Dev Space/Net/cmake/Src"
 80 | sandbox-exec -D_RX1="$HOME/Dev Space/Net/cmake/Dist" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" tar xf "$HOME/Dev Space/Net/cmake/Dist/cmake-3.21.2.tar.gz"
 81 | ```
 82 | Prepare build directory by copying `/usr/bin/false` to `ps` to keep `cmake` build from spewing `"Failure calling sysctl: Operation not permitted"` messages. `ps` is a suid program, and Apple's sandbox environment (understandably) denies execution of suid programs.
 83 | ```
 84 | cd "$HOME/Dev Space/Net/cmake/Build"
 85 | cp /usr/bin/false ps
 86 | ```
 87 | Start logging (optional)
 88 | 
 89 | As a user with administrator privileges, in a separate window start recording sandbox log messages for review after build ends.
 90 | ```
 91 | log stream --style compact --info --debug  --predicate '(((processID == 0) AND (senderImagePath CONTAINS "/Sandbox")) OR (subsystem == "com.apple.sandbox.reporting"))' >/tmp/sblog-cmake-01.txt
 92 | ```
 93 | bootstrap `cmake` within confined sandbox
 94 | ```
 95 | cd "$HOME/Dev Space/Net/cmake/Build"
 96 | PATH="`pwd`:$PATH" /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" "$HOME/Dev Space/Net/cmake/Src/cmake-3.21.2/bootstrap"  --prefix="$HOME/Dev Space/Net/cmake/Inst"
 97 | : Expected final output
 98 | : CMake has bootstrapped.  Now run make.
 99 | :      463.29 real       376.10 user        79.49 sys
100 | ```
101 | build and install `cmake` within confined sandbox
102 | ```
103 | PATH="`pwd`:$PATH" /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install
104 | : Expected final output
105 | : -- Installing: /Users/sand/Dev Space/Net/cmake/Inst/share/bash-completion/completions/ctest
106 | :      501.18 real      1820.55 user       124.39 sys
107 | ```
108 | Stop logging
109 | 
110 | Stop (^C) the `log stream...` running in another window.
111 | 
112 | A tally of sandbox allow/deny log messages can be produced with this command. 
113 | ```
114 | tr '0123456789' '##########' </tmp/sblog-cmake-01.txt | sed 's/[^ ]*  *[^ ]*  *[^ ]* *[^ ]*  *[^ ]*//'  | grep -v duplicate | sort | uniq -c | sort -rn | grep -e allow -e deny | less 
115 | 443  Sandbox: cmake(#####) deny(#) process-exec* /usr/sbin/sysctl
116 | 443  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sysctl
117 |  43  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##R#
118 |  25  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.distributed_notifications@Uv#
119 |  25  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.FSEvents
120 |  25  Sandbox: xcodebuild(#####) deny(#) file-read-data /
121 |  20  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin
122 |  19  Sandbox: cmake(#####) deny(#) file-read-metadata /opt
123 |  19  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Frameworks
124 |  13  Sandbox: routined(###) deny(#) mach-lookup com.apple.Maps.MapsSync.store
125 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/standalone
126 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sendmail
127 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/libexec
128 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##
129 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /sbin
130 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr/bin
131 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
132 |  10  Sandbox: cmake(#####) deny(#) file-read-data /usr/sbin
133 |  10  Sandbox: cmake(#####) deny(#) file-read-data /sbin
134 |  10  Sandbox: cmake(#####) deny(#) file-read-data /opt
135 | ...
136 | ```
137 | Note: the log messages come from all sandbox activity on the system, not just the build process, so you may see messages unrelated to the build.
138 | 
139 | Note: not all denied operations are being logged. Some denied operations that occur frequently (with every process launch) are configured to not log messages to keep down pollution/noise.
140 | 
141 | Note: Raw (un-tallied) log also contains many messages related to `Symbolicator for cmake[90573] is NULL` , and stack traces. I haven't figured out how to control these yet.
142 | 
143 | ### Build More Stuff
144 | See `exampleBuilds.md` for walkthroughs of building `gflags`, `glog`,`eigen`, `ceres`, `llvm clang`
145 | 
146 | ## Tell me more
147 | 
148 | ### What is the macOS Sandbox?
149 | "*App Sandbox is an access control technology provided in macOS, enforced at the kernel level.*" (From https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html)
150 | 
151 | The macOS sandbox enables creation of an environment that restricts access to a configurable subset of system resources and capabilities. These include what files can be read/write/stat/exec, network access, mach messaging and other interprocess communication, and system information via sysctl.
152 | 
153 | The specification of what is and is not accessible from the sandboxed environment is provide by a sandbox profile.
154 | 
155 | For our purposes, a sandboxed environment is created by running `sandbox-exec` with the `-f` parameters supplying the path to the profile configuring the restricted environment and also the command to be executed within the restricted environment.
156 | 
157 | Sandbox (also referred to as Seatbelt) was introduced in 2007 in OS X 10.5 Leopard. However, the profile definition language remains undocumented by Apple and is considered an "Apple System Private Interface". Also, while the  `sandbox-exec` man page has indicated it is DEPRECATED since at least 2017, it remains on the system. Also Apple continues to use the technology given that a profile was created for the Apple's relatively new *blastdoor* feature.
158 | 
159 | Even though Apple hasn't publicly documented the profile definition language, numerous examples can be found in `/System/Library/Sandbox/Profiles` and `/usr/share/sandbox`.
160 | 
161 | Additional information can be found in the References.
162 | 
163 | ### Describe `confined.sb` profile
164 | The primary goals of  `confined.sb` are to be *understandable* and thus *trustworthy*. The profile uses fairly simple `allow` and `deny` operations that are intended to be understandable on inspection. The idea is that if someone can understand the simple rules, they can have some amount of trust and confidence in the profile's effectiveness.
165 | 
166 | The profile starts with `(deny default)` which configures the environment to deny all operations with all denied operations being logged.
167 | 
168 | `(allow process-fork)` enables execution of multiple commands as part of build process.
169 | 
170 | Six different `(allow file...)` operations enable various types of file access to different parts of the system. Of note, `file-write*` is only enabled for directory hierarchies passed in as parameters `_RW1` and `_TMPDIR`, and for `/dev/null` and `/dev/zero`. `file-read*` and ` process-exec` capabilities are given to the directory hierarchy passed in as parameter `_RX1`,  `/bin`, `/usr/bin`, `/Applications/Xcode.app`.
171 | 
172 | `file-read*` and `file-read-metadata` (stat) are granted to various system files/directories. Also, `file-read-metadata` is given to `(path-ancestors (param "_RX1"))` which is needed for `cd`-ing.
173 | 
174 | Subsequent, `(deny (with no-report) ...)` operations suppress logging of operations that are frequently denied to reduce log pollution.
175 | `(allow sysctl-read ...)` grants access to a few system information values.
176 | 
177 | Finally, `(deny syscall-unix (with no-report) (syscall-number SYS_getfsstat64)` prevents `xcodebuild` from enumerating mounts on every invocation.
178 | 
179 | Throughout `confined.sb` comments with tool names indicated the named tool was observed using or needing the listed feature.
180 | 
181 | The singularly focused simplicity of  `confined.sb`  stands in contrast to the complexity of Apple profile `/System/Library/Sandbox/Profiles/application.sb` which must support a wide range of use cases.
182 | 
183 | ### Why aren't those build commands simplified in a script?
184 | Providing a script with sufficient flexibility to accommodate various build styles/layouts would add a layer of complexity, requiring more analysis by the user to develop understanding and trust.
185 | 
186 | ### Why `Dev Space`?
187 | I wanted to verify quoting is sufficient to work with pathnames containing spaces.
188 | 
189 | ### What's this ```-D_RW1="`dirname $PWD``` business
190 | Read/Write access is granted to parent of build directory to permit writes to both the build directory and the install directory. Perhaps there should be a `_RW2` parameter.
191 | 
192 | ### What is include in `macOSSandboxBuild`
193 | * `confined.sb` : Profile used for building software (described above). Network access is denied.
194 | * `download.sb` : Allows network access, and writing to directory specified by `_RW1`, but has little additional access to system
195 | * `nomach.sb` : Just does `(deny mach-lookup)`. Only used durring xcrun_db setup
196 | * `ping.sb` : minimal profile allowing execution of `ping`/`ping6`
197 | * `exampleBuilds.md` : Examples of building additional software within sandbox
198 | 
199 | ### Have you investigated the origins of all the denied operations in builds
200 | Nope.
201 | 
202 | However, `cmake` frequently accessing `/private` and `/private/tmp` is possibly due to  `kwsys/SystemTools.cxx:  SystemTools::AddKeepPath("/tmp/");)`
203 | Also, frequent exec `/usr/sbin/sysctl` possibly from `Modules/ProcessorCount.cmake:    find_program(ProcessorCount_cmd_sysctl sysctl )`
204 | Don't know where attempts to refernece `/usr/sbin/sendmail` come from. I didn't find a reference to it `cmake` source.
205 | 
206 | ## References
207 | 
208 | * A long evening with iOS and macOS Sandbox - https://geosn0w.github.io/A-Long-Evening-With-macOS's-Sandbox/
209 | * About App Sandbox - https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html#//apple_ref/doc/uid/TP40011183-CH1-SW1
210 | * App Sandbox in Depth - https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html
211 | * Run IBTool from within Sandboxed App - https://developer.apple.com/forums/thread/26389?answerId=89866022#89866022
212 | * How to build a replacement for sandbox-exec? - https://developer.apple.com/forums/thread/661939
213 | * Why Xcode tools are slow after reboot - https://lapcatsoftware.com/articles/xcrun.html
214 | * mktemp on macOS not honouring $TMPDIR - https://unix.stackexchange.com/questions/555058/mktemp-on-macos-not-honouring-tmpdir
215 | * confstr source - https://opensource.apple.com/source/Libc/Libc-1439.40.11/gen/confstr.c.auto.html
216 | 
217 | 
218 | ## Future Work
219 | ~~Profile with sufficient networking support to allow downloading source via git and curl~~
220 | 
221 | ???
222 | 


--------------------------------------------------------------------------------
/confined.sb:
--------------------------------------------------------------------------------
  1 | (version 1)
  2 | 
  3 | ;; sandbox profile for building software from command line
  4 | 
  5 | ;; For explanation and usage see https://github.com/BrianSwift/macOSSandboxBuild
  6 | 
  7 | ;; MIT License (at end)
  8 |  
  9 | 
 10 | (deny default)
 11 | 
 12 | 
 13 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 14 | ;; process
 15 | 
 16 | (allow process-fork) ;; Because building means running commands and scripts
 17 | 
 18 | 
 19 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 20 | ;; file
 21 | 
 22 | (allow file-read* file-write*
 23 | 	(subpath (param "_RW1")) ;; current and sub dirs
 24 | 	(subpath (param "_TMPDIR")) ;; TMPDIR and sub dirs (should already be setup with pre-heated xcrun_db)
 25 | )
 26 | 
 27 | (allow file-read* file-write-data
 28 | 	(literal "/dev/null")
 29 | 	(literal "/dev/zero"))
 30 | 
 31 | (allow file-read* process-exec 
 32 | 	(subpath (param "_RX1")) ;; additional direcory read/execute directory
 33 | 	(subpath "/bin") ;; sh, bash
 34 | 	(subpath "/usr/bin") ;; uname (cmake), dirname
 35 | 	(subpath "/Applications/Xcode.app") ;; clang
 36 | )
 37 | 
 38 | ;; Initial elements mentioned in blastdoor.sb
 39 | ;; Allow read access to standard system paths.
 40 | (allow file-read*
 41 | 	(subpath "/System/Library") ;; Tightened, was "/System"
 42 | 	(subpath "/usr/lib")
 43 | 	(subpath "/usr/share")
 44 | 	;; Tighter. Removed  (subpath "/private/var/db/dyld")
 45 | 
 46 | 	;; my additions
 47 | 	(literal "/Library/Preferences/.GlobalPreferences.plist") ;; sw_vers xcodebuild
 48 | 	(literal "/Library/Preferences/com.apple.dt.Xcode.plist") ;; xcodebuild (checking last license agreed to "IDELastGMLicenseAgreedTo")
 49 | 
 50 | 	;; xcodebuild (though doesn't break without)
 51 | 	(literal "/System")
 52 | 	(literal "/usr")
 53 | )
 54 | 
 55 | ;; Initially from blastdoor.sb
 56 | (allow file-read-metadata
 57 | 	(path-ancestors (param "_RX1"))
 58 | 	(literal "/etc")
 59 | 	(literal "/tmp")
 60 | 	(literal "/var")
 61 | 	(literal "/private/etc/localtime")
 62 | 	;; sh wants
 63 | 	(literal "/private/var/select/sh")
 64 | 
 65 | 	;; clang wants to read metadata from from XCode parent dirs
 66 | 	(literal "/Applications")
 67 | 	(literal "/")
 68 | )
 69 | 
 70 | ;; From blastdoor.sb 
 71 | ;; Allow access to standard special files.
 72 | (allow file-read*
 73 | 	(literal "/dev/random")
 74 | 	(literal "/dev/urandom"))
 75 | 
 76 | ;; deny (with no-report) to reduce log pollution
 77 | ;; Idea is to reduce/eliminate logged messages for a nominal run,
 78 | ;; so any messages that are logged are significant.
 79 | (deny file* (with no-report)
 80 | 	(literal "/dev") ;; bash
 81 | 	(literal "/dev/tty")   ;; bash
 82 | 	(literal "/Library/Preferences/Logging/com.apple.diagnosticd.filter.plist")
 83 | 	(literal "/usr/local")
 84 | 	(subpath "/private/var/db/timezone") ; xcodebuild, sw_vers, make
 85 | 	(literal "/private/etc/passwd") ;; clang, make, access probably for group number to name conversion, block doesn't cause failure but does pollute log file
 86 | 	(literal "/System/Volumes") ;; xcodebuild
 87 | 	(literal "/private/tmp") ;; cmake frequent file-read-metadata (possibly due to  ./kwsys/SystemTools.cxx:  SystemTools::AddKeepPath("/tmp/");)
 88 | 	(literal "/private") ;; cmake frequent file-read-metadata 
 89 | )
 90 | 
 91 | 
 92 | 
 93 | ;; Everything accesses /AppleInternal. Blocking doesn't seem to hurt. Explicit block "(with no-report)" to prevent log pollution
 94 | (deny file-read-metadata (with no-report) (literal "/AppleInternal"))
 95 | 
 96 | 
 97 | ;; Every launched process tries to access dtracehelper. Added (with no-report) to reduce log pollution.
 98 | (deny (with no-report) file-read* file-write-data file-ioctl
 99 | 	 (literal "/dev/dtracehelper"))
100 | 
101 | 
102 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
103 | ;; mach-lookup
104 | ;;
105 | ;; All are denied by (deny default). Reduce log pollution for these.
106 | 
107 | ;; reduce log pollution
108 | (deny mach-lookup (with no-report)
109 | 	(global-name-prefix "com.apple.system.opendirectoryd.") ;; clang
110 | 	(global-name-prefix "com.apple.logd") ;; make
111 | 	(global-name "com.apple.bsd.dirhelper") ;; clang
112 | 	(global-name "com.apple.system.notification_center") ;; xcodebuild, make, sw_vers
113 | 	(global-name "com.apple.coresymbolicationd") ;; xcodebuild
114 | 	(global-name "com.apple.CoreServices.coreservicesd") ;; xcodebuild
115 | 	(global-name "com.apple.diagnosticd") ;; xcodebuild, make, sw_vers
116 | 	(global-name "com.apple.lsd.mapdb") ;; xcodebuild
117 | 	(global-name "com.apple.dt.CommandLineTools.installondemand") ;; gcc, clang
118 | )
119 | 
120 | 
121 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
122 | ;; sysctl
123 | ;;
124 | ;; All denied by (deny default) at top.
125 | ;;
126 | 
127 | (deny sysctl* (with no-report) (sysctl-name
128 | 	;; every executable startup does this, why
129 | 	"kern.osvariant_status"
130 | 	"hw.ephemeral_storage"
131 | )) 
132 | 
133 | (allow sysctl-read
134 | 	(sysctl-name 
135 | 		;; uname ( used in cmake build)
136 | 		"kern.ostype"
137 | 		"kern.hostname"
138 | 		"kern.osrelease"
139 | 		"kern.version"
140 | 		"hw.machine"
141 | 
142 | 		;;clang
143 | 		"hw.pagesize_compat"
144 | 		"kern.argmax"
145 | 		;;ld 
146 | 		"hw.ncpu"
147 | 		;; bash, clang++, 
148 | 		"kern.secure_kernel" ;; pollution doesn't break
149 | 		;; xcodebuild
150 | 		"kern.maxfilesperproc"
151 | 		"kern.osproductversion"
152 | 		;; bash and others
153 | 		"kern.ngroups"
154 | 	)
155 | ) 
156 | 
157 | 
158 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
159 | ;; ipc
160 | 
161 | (deny ipc-posix-shm-read-data (with no-report) (ipc-posix-name "apple.shm.notification_center")) ;; xcodebuild, sw_vers, make
162 | 
163 | 
164 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
165 | ;; network
166 | ;;
167 | ;; All network access is already denied by (deny default) at top.
168 | ;; This is just reducing frequent log message
169 | 
170 | (deny network-outbound (with no-report) (literal "/private/var/run/syslog")) ;; clang, make, test
171 | 
172 | 
173 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
174 | ;; syscall
175 | 
176 | ;; Stop xcodebuild from enumerating mounts on every invocation
177 | ;;   syscall names in /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sys/syscall.h
178 | 
179 | (deny syscall-unix (with no-report)
180 | 	(syscall-number SYS_getfsstat64)
181 | )
182 | ;; would be nice to have more granularity, to be able to specify the "no-report" just for xcodebuild
183 | ;;  so any other occurrences would be visible
184 | 
185 | 
186 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
187 | ;; system-privilege
188 | 
189 | (deny system-privilege) ;; from blastdoor.sb, wasn't generating deny messaegs before added. Seeing deny(1) system-privilege 1002. Don't know if allowed even with (deny default), or by default denied (with no-report)
190 | 
191 | 
192 | 
193 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
194 | ;; License
195 | 
196 | ;MIT License
197 | ;
198 | ;Copyright (c) 2021 Brian Swift
199 | ;
200 | ;Permission is hereby granted, free of charge, to any person obtaining a copy
201 | ;of this software and associated documentation files (the "Software"), to deal
202 | ;in the Software without restriction, including without limitation the rights
203 | ;to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
204 | ;copies of the Software, and to permit persons to whom the Software is
205 | ;furnished to do so, subject to the following conditions:
206 | ;
207 | ;The above copyright notice and this permission notice shall be included in all
208 | ;copies or substantial portions of the Software.
209 | ;
210 | ;THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
211 | ;IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
212 | ;FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
213 | ;AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
214 | ;LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
215 | ;OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
216 | ;SOFTWARE.
217 | 


--------------------------------------------------------------------------------
/download.sb:
--------------------------------------------------------------------------------
 1 | (version 1)
 2 | 
 3 | ;; sandbox profile for downloading software using curl or git
 4 | 
 5 | ;; For explanation and usage see https://github.com/BrianSwift/macOSSandboxBuild
 6 | 
 7 | (deny default)
 8 | 
 9 | (allow process-fork) ;; git needs
10 | 
11 | (allow file-read* process-exec 
12 | 	(literal "/usr/bin/curl")
13 | 	(literal "/Applications/Xcode.app/Contents/Developer/usr/bin/git")
14 | 	(subpath "/Applications/Xcode.app/Contents/Developer/usr/libexec/git-core")
15 | 	(subpath "/Applications/Xcode.app/Contents/Developer/usr/share/git-core")
16 | )
17 | 
18 | (allow file-read* file-write-data
19 | 	(literal "/dev/null") ;; git
20 | 	(literal "/dev/zero"))
21 | 
22 | (allow network-outbound
23 |        (literal "/private/var/run/mDNSResponder") ; name lookup
24 |        (remote tcp "*:443")
25 | )
26 | 
27 | (allow file-read-metadata
28 | 	(literal "/var") ; needed for DNS resolution
29 | 	(subpath "/etc") ; needed for curl/git to traverse to /private/etc/ssl
30 | )
31 | 
32 | (allow file-read*
33 | 	(subpath "/private/etc/ssl") ; git/curl references to /etc/ssl/cert.pem
34 | )
35 | 
36 | (allow file-read* file-write*
37 | 	(subpath (param "_RW1")) ;; current and sub dirs
38 | )
39 | 
40 | (allow file-read-metadata
41 | 	(path-ancestors (param "_RW1")) ; git does file-read-metadata (stat?) on all path prefixes several times
42 | )
43 | 
44 | (allow sysctl-read
45 | 	(sysctl-name 
46 | 		"kern.hostname" ; git produces error without hostname, but still runs to completion
47 | 				; when checking out gflags, hostname becomes part of log messages in:
48 | 					; .git/logs/HEAD gflags/.git/logs/HEAD
49 | 					; .git/logs/refs/heads/master gflags/.git/logs/refs/heads/master
50 | 					; .git/logs/refs/remotes/origin/HEAD gflags/.git/logs/refs/remotes/origin/HEAD
51 | ))
52 | 


--------------------------------------------------------------------------------
/exampleBuilds.md:
--------------------------------------------------------------------------------
  1 | #  Example Builds
  2 | 
  3 | ## Building More Stuff
  4 | 
  5 | Now that `cmake` is bulit, let's build some more stuff
  6 | 
  7 | ### Add cmake to PATH, override 'ps'
  8 | ```
  9 | export PATH="$HOME/Dev Space/Net/cmake/Inst/bin:$PATH"
 10 | cp /usr/bin/false "$HOME/Dev Space/Net/cmake/Inst/bin/ps"
 11 | ```
 12 | 
 13 | ### gflags
 14 | ```
 15 | mkdir -p "$HOME/Dev Space/Net/gflags/"{Src,Build,Dist,Inst}
 16 | cd "$HOME/Dev Space/Net/gflags/Src"
 17 | git clone https://github.com/gflags/gflags.git
 18 | cd "$HOME/Dev Space/Net/gflags/Build"
 19 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" cmake -S "$HOME/Dev Space/Net/gflags/Src/gflags" -B . --install-prefix "$HOME/Dev Space/Net/gflags/Inst"
 20 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install
 21 | ...
 22 | -- Installing: /Users/sand/Dev Space/Net/gflags/Inst/lib/pkgconfig/gflags.pc
 23 | CMake Error at cmake_install.cmake:128 (file):
 24 |   file cannot create directory: /Users/sand/.cmake/packages/gflags.  Maybe
 25 |   need administrative privileges.
 26 | 
 27 | make: *** [install] Error 1
 28 | ```
 29 | Tallied sandbox log messages for `gflags`.
 30 | ```
 31 | tr '0123456789' '##########' </tmp/sblog-gflags-01.txt | sed 's/[^ ]*  *[^ ]*  *[^ ]* *[^ ]*  *[^ ]*//'  | grep -v duplicate | sort | uniq -c | sort -rn | grep -e allow -e deny | less
 32 | 14  Sandbox: cmake(#####) deny(#) process-exec* /usr/sbin/sysctl
 33 | 14  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sysctl
 34 |  2  Sandbox: clang(#####) deny(#) file-read-metadata /Library/Frameworks
 35 |  1  Sandbox: ld(#####) deny(#) file-read-metadata /Library/Frameworks
 36 |  1  Sandbox: cmake(#####) deny(#) file-write-create /Users/sand/.cmake/packages/gflags
 37 | b
 38 | ```
 39 | We see that the install process is denied creating a `.cmake` directory in the home directory  `/Users/sand/.cmake/packages/gflags`.  This error hasn't (yet) prevented me from building dependent software components, so I'm ignoring it, content in the knowledge that the build isn't writing to unexpected places.
 40 | 
 41 | ### glog
 42 | Note setting `CMAKE_PREFIX_PATH`
 43 | ```
 44 | mkdir -p "$HOME/Dev Space/Net/glog/"{Src,Build,Dist,Inst}
 45 | cd "$HOME/Dev Space/Net/glog/Src"
 46 | git clone https://github.com/google/glog.git
 47 | cd "$HOME/Dev Space/Net/glog/Build"
 48 | export CMAKE_PREFIX_PATH="$HOME/Dev Space/Net/gflags/Inst"
 49 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" cmake -S "$HOME/Dev Space/Net/glog/Src/glog" -B . --install-prefix "$HOME/Dev Space/Net/glog/Inst"
 50 | ```
 51 | Output from above includes this error message. But it doesn't terminate the command. 
 52 | ```
 53 | ...
 54 | -- Performing Test COMPILER_HAS_DEPRECATED_ATTR - Success
 55 | CMake Warning at CMakeLists.txt:903 (export):
 56 |   Cannot create package registry file:
 57 |     /Users/sand/.cmake/packages/glog/1875892d32396b70f8f1afed2967474b
 58 |   Operation not permitted
 59 | -- Configuring done
 60 | ...
 61 | ```
 62 | Continuing...
 63 | ```
 64 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install
 65 | ...
 66 | -- Installing: /Users/sand/Dev Space/Net/glog/Inst/lib/cmake/glog/glog-targets-noconfig.cmake
 67 | ```
 68 | Tallied log messages
 69 | ```
 70 | 68  Sandbox: cmake(#####) deny(#) process-exec* /usr/sbin/sysctl
 71 |  68  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sysctl
 72 |  16  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##R#
 73 |  11  Sandbox: cmake(#####) deny(#) file-read-metadata /opt
 74 |  11  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Frameworks
 75 |   9  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin
 76 |   6  Sandbox: cmake(#####) deny(#) file-read-metadata /sbin
 77 |   6  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr/bin
 78 |   5  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr
 79 |   5  Sandbox: cmake(#####) deny(#) file-read-data /
 80 |   3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/standalone
 81 |   3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sendmail
 82 |   3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/libexec
 83 |   3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##
 84 |   3  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
 85 |   3  Sandbox: cmake(#####) deny(#) file-read-data /usr/sbin
 86 |   3  Sandbox: cmake(#####) deny(#) file-read-data /sbin
 87 |   3  Sandbox: cmake(#####) deny(#) file-read-data /opt
 88 |   3  Sandbox: cmake(#####) deny(#) file-read-data /Library/Frameworks
 89 |   3  Sandbox: cmake(#####) deny(#) file-read-data /Library/Apple/usr/bin
 90 |   2  Sandbox: cmake(#####) deny(#) sysctl-read vm.swapusage
 91 |   2  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.family
 92 |   2  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.cores_per_package
 93 |   2  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.brand_string
 94 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.physicalcpu
 95 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.pagesize
 96 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.memsize
 97 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.logicalcpu
 98 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.l#icachesize
 99 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.l#cachesize
100 |   2  Sandbox: cmake(#####) deny(#) sysctl-read hw.cpufrequency
101 |   2  Sandbox: clang(#####) deny(#) file-read-metadata /Library/Frameworks
102 |   1  Sandbox: ld(#####) deny(#) file-read-metadata /Library/Frameworks
103 |   1  Sandbox: cmake(#####) deny(#) file-write-create /Users/sand/.cmake/packages/glog/#######d#####b##f#f#afed#######b.tmp##f##
104 |   1  Sandbox: cmake(#####) deny(#) file-read-metadata /Users/sand/.cmake/packages/glog
105 | ```
106 | 
107 | ### eigen
108 | ```
109 | mkdir -p "$HOME/Dev Space/Net/eigen/"{Src,Build,Dist,Inst}
110 | cd "$HOME/Dev Space/Net/eigen/Dist"
111 | curl -OL https://gitlab.com/libeigen/eigen/-/archive/3.3.9/eigen-3.3.9.tar.gz
112 | cd "$HOME/Dev Space/Net/eigen/Src"
113 | ;: untar with sandbox protection
114 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" tar xf "$HOME/Dev Space/Net/eigen/Dist/eigen-3.3.9.tar.gz"
115 | cd "$HOME/Dev Space/Net/eigen/Build"
116 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" cmake -S "$HOME/Dev Space/Net/eigen/Src/eigen-3.3.9" -B . --install-prefix "$HOME/Dev Space/Net/eigen/Inst"
117 | ```
118 | Output from above includes several error message like this
119 | 
120 | ```
121 | ...
122 | -- Could NOT find PkgConfig (missing: PKG_CONFIG_EXECUTABLE) 
123 | CMake Warning (dev) at /Users/sand/Dev Space/Net/cmake/Inst/share/cmake-3.21/Modules/FindPackageHandleStandardArgs.cmake:438 (message):
124 |   The package name passed to `find_package_handle_standard_args` (BLAS) does
125 |   not match the name of the calling package (BLASEXT).  This can lead to
126 |   problems in calling code that expects `find_package` result variables
127 |   (e.g., `_FOUND`) to follow a certain pattern.
128 | Call Stack (most recent call first):
129 |   cmake/FindBLASEXT.cmake:377 (find_package_handle_standard_args)
130 |   cmake/FindPASTIX.cmake:214 (find_package)
131 |   bench/spbench/CMakeLists.txt:41 (find_package)
132 | This warning is for project developers.  Use -Wno-dev to suppress it.
133 | ...
134 | -- 
135 | CMake Warning at CMakeLists.txt:578 (export):
136 |   Cannot create package registry file:
137 | 
138 |     /Users/sand/.cmake/packages/Eigen3/aeefd2fb089633968c17f476bf3a866b
139 | 
140 |   No such file or directory
141 | 
142 | 
143 | 
144 | -- Configuring done
145 | CMake Warning (dev):
146 |   Policy CMP0042 is not set: MACOSX_RPATH is enabled by default.  Run "cmake
147 |   --help-policy CMP0042" for policy details.  Use the cmake_policy command to
148 |   set the policy and suppress this warning.
149 | 
150 |   MACOSX_RPATH is not specified for the following targets:
151 | 
152 |    eigen_blas
153 |    eigen_lapack
154 | 
155 | This warning is for project developers.  Use -Wno-dev to suppress it.
156 | 
157 | -- Generating done
158 | -- Build files have been written to: /Users/sand/Dev Space/Net/eigen/Build
159 | ```
160 | Continuing...
161 | ```
162 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install
163 | ...
164 | -- Installing: /Users/sand/Dev Space/Net/eigen/Inst/include/eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorAssign.h
165 | ```
166 | Tallied log messages
167 | ```
168 | 156  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##R#
169 |  92  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin
170 |  69  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.distributed_notifications@Uv#
171 |  69  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.FSEvents
172 |  69  Sandbox: xcodebuild(#####) deny(#) file-read-data /
173 |  60  Sandbox: cmake(#####) deny(#) process-exec* /usr/sbin/sysctl
174 |  60  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sysctl
175 |  57  Sandbox: cmake(#####) deny(#) file-read-metadata /opt
176 |  57  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Frameworks
177 |  51  Sandbox: cmake(#####) deny(#) file-read-metadata /sbin
178 |  51  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr/bin
179 |  41  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/standalone
180 |  41  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sendmail
181 |  41  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/libexec
182 |  41  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##
183 |  41  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
184 |  41  Sandbox: cmake(#####) deny(#) file-read-data /usr/sbin
185 |  41  Sandbox: cmake(#####) deny(#) file-read-data /sbin
186 |  41  Sandbox: cmake(#####) deny(#) file-read-data /opt
187 |  41  Sandbox: cmake(#####) deny(#) file-read-data /Library/Apple/usr/bin
188 |  39  Sandbox: cmake(#####) deny(#) file-read-data /Library/Frameworks
189 |  10  Sandbox: cmake(#####) deny(#) sysctl-read vm.swapusage
190 |  10  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.family
191 |  10  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.cores_per_package
192 |  10  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.brand_string
193 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.physicalcpu
194 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.pagesize
195 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.memsize
196 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.logicalcpu
197 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.l#icachesize
198 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.l#cachesize
199 |  10  Sandbox: cmake(#####) deny(#) sysctl-read hw.cpufrequency
200 |   6  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr
201 |   6  Sandbox: cmake(#####) deny(#) file-read-data /
202 |   3  Sandbox: clang(#####) deny(#) file-read-metadata /Library/Frameworks
203 |   2  Sandbox: ld(#####) deny(#) file-read-metadata /Library/Frameworks
204 |   1  Sandbox: routined(#####) deny(#) mach-lookup com.apple.Maps.MapsSync.store
205 |   1  Sandbox: cmake(#####) deny(#) file-write-create /Users/sand/.cmake/packages/Eigen#
206 | ```
207 |   
208 | ### ceres
209 | Note setting `CMAKE_PREFIX_PATH` and `touch`
210 | 
211 | ```
212 | mkdir -p "$HOME/Dev Space/Net/ceres/"{Src,Build,Dist,Inst}
213 | cd "$HOME/Dev Space/Net/ceres/Src"
214 | git clone https://ceres-solver.googlesource.com/ceres-solver
215 | cd "$HOME/Dev Space/Net/ceres/Build"
216 | export CMAKE_PREFIX_PATH="$HOME/Dev Space/Net/eigen/Inst:$HOME/Dev Space/Net/glog/Inst:$HOME/Dev Space/Net/gflags/Inst"
217 | ;: touch - because if the .git/hooks/commit-msg does not exist in the source, it will try to download and copy it there, which fails because _sandbox_
218 | touch  "$HOME/Dev Space/Net/ceres/Src/ceres-solver/.git/hooks/commit-msg"
219 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" cmake -S "$HOME/Dev Space/Net/ceres/Src/ceres-solver" -B . --install-prefix "$HOME/Dev Space/Net/ceres/Inst"
220 | ...
221 | -- Build files have been written to: /Users/sand/Dev Space/Net/ceres/Build
222 |        16.87 real         6.54 user         5.48 sys
223 | 
224 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install
225 | ...
226 | -- Installing: /Users/sand/Dev Space/Net/ceres/Inst/lib/libceres.a
227 | /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: /Users/sand/Dev Space/Net/ceres/Inst/lib/libceres.a(cxsparse.cc.o) has no symbols
228 | /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: /Users/sand/Dev Space/Net/ceres/Inst/lib/libceres.a(float_suitesparse.cc.o) has no symbols
229 | /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: /Users/sand/Dev Space/Net/ceres/Inst/lib/libceres.a(float_cxsparse.cc.o) has no symbols
230 | /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: /Users/sand/Dev Space/Net/ceres/Inst/lib/libceres.a(suitesparse.cc.o) has no symbols
231 |       506.95 real      1911.76 user        81.74 sys
232 | ```
233 | Tallied log messages
234 | ```
235 | 122  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##R#
236 | 101  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin
237 | 100  Sandbox: cmake(#####) deny(#) file-read-metadata /opt
238 | 100  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Frameworks
239 |  91  Sandbox: cmake(#####) deny(#) file-read-metadata /sbin
240 |  91  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr/bin
241 |  18  Sandbox: cmake(#####) deny(#) process-exec* /usr/sbin/sysctl
242 |  18  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sysctl
243 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/standalone
244 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sendmail
245 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/libexec
246 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##
247 |  10  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
248 |  10  Sandbox: cmake(#####) deny(#) file-read-data /usr/sbin
249 |  10  Sandbox: cmake(#####) deny(#) file-read-data /sbin
250 |  10  Sandbox: cmake(#####) deny(#) file-read-data /opt
251 |  10  Sandbox: cmake(#####) deny(#) file-read-data /Library/Apple/usr/bin
252 |   9  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr
253 |   9  Sandbox: cmake(#####) deny(#) file-read-data /Library/Frameworks
254 |   9  Sandbox: cmake(#####) deny(#) file-read-data /
255 |   3  Sandbox: clang(#####) deny(#) file-read-metadata /Library/Frameworks
256 |   2  Sandbox: ld(#####) deny(#) file-read-metadata /Library/Frameworks
257 |   1  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.lsd.modifydb
258 |   1  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.coreservices.quarantine-resolver
259 |   1  Sandbox: xcodebuild(#####) deny(#) file-read-metadata /Users/sand/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
260 |   1  Sandbox: xcodebuild(#####) deny(#) file-read-data /Users/sand/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
261 | ```
262 | Try running the tests
263 | ```
264 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make test
265 | ...
266 | 165/165 Test #165: ba_sparseschur_acceleratesparse_user_threads_test .............   Passed    2.47 sec
267 | 
268 | 95% tests passed, 8 tests failed out of 165
269 | 
270 | Total Test time (real) = 151.28 sec
271 | 
272 | The following tests FAILED:
273 |      19 - corrector_test (SEGFAULT)
274 |      21 - covariance_test (SEGFAULT)
275 |      39 - graph_test (SEGFAULT)
276 |      53 - local_parameterization_test (SEGFAULT)
277 |      58 - ordered_groups_test (SEGFAULT)
278 |      61 - parameter_block_test (SEGFAULT)
279 |      66 - problem_test (SEGFAULT)
280 |      85 - triplet_sparse_matrix_test (SEGFAULT)
281 | Errors while running CTest
282 | Output from these tests are in: /Users/sand/Dev Space/Net/ceres/Build/Testing/Temporary/LastTest.log
283 | Use "--rerun-failed --output-on-failure" to re-run the failed cases verbosely.
284 | make: *** [test] Error 8
285 |       151.33 real       160.65 user        15.60 sys
286 | ```
287 | Most tests pass. Nothing in sandbox log indicating sandbox was cause of failure.
288 | 
289 | ### pbrt-v4
290 | ```
291 | mkdir -p "$HOME/Dev Space/Net/pbrt-v4/"{Src,Build,Dist,Inst}
292 | cd "$HOME/Dev Space/Net/pbrt-v4/Src"
293 | git clone --recursive https://github.com/mmp/pbrt-v4.git
294 | cd "$HOME/Dev Space/Net/pbrt-v4/Build"
295 | unset CMAKE_PREFIX_PATH
296 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" cmake -S "$HOME/Dev Space/Net/pbrt-v4/Src/pbrt-v4" -B . --install-prefix "$HOME/Dev Space/Net/pbrt-v4/Inst"
297 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install
298 | ...
299 | -- Installing: /Users/sand/Dev Space/Net/pbrt-v4/Inst/lib/cmake/double-conversion/double-conversionTargets-release.cmake
300 |       438.93 real      2226.95 user        59.35 sys
301 | ```
302 | Tallied log messages
303 | ```
304 | 30  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##R#
305 | 27  Sandbox: cmake(#####) deny(#) process-exec* /usr/sbin/sysctl
306 | 27  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sysctl
307 | 17  Sandbox: cmake(#####) deny(#) file-read-metadata /opt
308 | 17  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Frameworks
309 | 11  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin
310 | 10  Sandbox: cmake(#####) deny(#) sysctl-read vm.swapusage
311 | 10  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.family
312 | 10  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.cores_per_package
313 | 10  Sandbox: cmake(#####) deny(#) sysctl-read machdep.cpu.brand_string
314 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.physicalcpu
315 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.pagesize
316 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.memsize
317 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.logicalcpu
318 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.l#icachesize
319 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.l#cachesize
320 | 10  Sandbox: cmake(#####) deny(#) sysctl-read hw.cpufrequency
321 |  9  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr
322 |  9  Sandbox: cmake(#####) deny(#) file-read-data /
323 |  8  Sandbox: cmake(#####) deny(#) file-read-metadata /sbin
324 |  8  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/usr/bin
325 |  3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/standalone
326 |  3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/sbin/sendmail
327 |  3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/libexec
328 |  3  Sandbox: cmake(#####) deny(#) file-read-metadata /usr/X##
329 |  3  Sandbox: cmake(#####) deny(#) file-read-metadata /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
330 |  3  Sandbox: cmake(#####) deny(#) file-read-data /usr/sbin
331 |  3  Sandbox: cmake(#####) deny(#) file-read-data /sbin
332 |  3  Sandbox: cmake(#####) deny(#) file-read-data /opt
333 |  3  Sandbox: cmake(#####) deny(#) file-read-data /Library/Frameworks
334 |  3  Sandbox: cmake(#####) deny(#) file-read-data /Library/Apple/usr/bin
335 |  3  Sandbox: clang(#####) deny(#) file-read-metadata /Library/Frameworks
336 |  2  Sandbox: ld(#####) deny(#) file-read-metadata /Library/Frameworks
337 |  1  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.distributed_notifications@Uv#
338 |  1  Sandbox: xcodebuild(#####) deny(#) mach-lookup com.apple.FSEvents
339 |  1  Sandbox: xcodebuild(#####) deny(#) file-read-data /
340 | ```
341 | Test render simple scene with pbrt
342 | ```
343 | mkdir -p "$HOME/Dev Space/Net/tests/pbrt"
344 | cd "$HOME/Dev Space/Net/tests/pbrt"
345 | cat >s8v4.pbrt <<'EOFF'
346 | Film "rgb"
347 |     "integer yresolution" [ 300 ]
348 |     "integer xresolution" [ 300 ]
349 |     "string filename" [ "s8.png" ]
350 | 
351 | Sampler "halton"
352 |     "integer pixelsamples" [ 128 ]
353 | Integrator "bdpt"
354 | LookAt 796800000 0 0
355 |     800000000 0 0
356 |     0 0 1
357 | Camera "perspective"
358 |     "float fov" [ 4 ]
359 | WorldBegin
360 | LightSource "distant"
361 |     "float scale" [1.5]
362 |     "blackbody L" [ 6500 ]
363 |     "point3 to" [ 1 0 0 ]
364 | AttributeBegin
365 |     Material "diffuse"
366 |         "rgb reflectance" [ 0.9 0.9 0.9 ]
367 |     Translate 800000000 0 0
368 |     Shape "sphere"
369 |         "float radius" [ 80000 ]
370 | AttributeEnd
371 | EOFF
372 | 
373 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" "$HOME/Dev Space/Net/pbrt-v4/Inst/bin/pbrt" s8v4.pbrt
374 | pbrt version 4 (built Sep 13 2021 at 20:35:33)
375 | Copyright (c)1998-2021 Matt Pharr, Wenzel Jakob, and Greg Humphreys.
376 | The source code to pbrt (but *not* the book contents) is covered by the Apache 2.0 License.
377 | See the file LICENSE.txt for the conditions of the license.
378 | Rendering: [+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]  (10.6s)       
379 |        10.82 real        78.99 user         0.17 sys
380 | ```
381 | ### llvm clang
382 | ```
383 | mkdir -p "$HOME/Dev Space/Net/llvm/"{Src,Build,Dist,Inst}
384 | cd "$HOME/Dev Space/Net/llvm/Src"
385 | git clone --depth=1 https://github.com/llvm/llvm-project.git
386 | 
387 | ;: patch llvm bug that causes abort durring clang link of build directory path contains space character
388 | cd "$HOME/Dev Space/Net/llvm/Src/llvm-project/clang/tools/driver"
389 | patch <<'EOFF'
390 | --- CMakeLists.txt    2021-09-14 13:10:43.000000000 -0700
391 | +++ CMakeLists-fixed.txt    2021-09-14 13:13:16.000000000 -0700
392 | @@ -82,7 +82,7 @@
393 |    set(TOOL_INFO_PLIST_OUT "${CMAKE_CURRENT_BINARY_DIR}/${TOOL_INFO_PLIST}")
394 |    target_link_libraries(clang
395 |      PRIVATE
396 | -    "-Wl,-sectcreate,__TEXT,__info_plist,${TOOL_INFO_PLIST_OUT}")
397 | +    "-Wl,-sectcreate,__TEXT,__info_plist,\"${TOOL_INFO_PLIST_OUT}\"")
398 |    configure_file("${TOOL_INFO_PLIST}.in" "${TOOL_INFO_PLIST_OUT}" @ONLY)
399 |  
400 |    set(TOOL_INFO_UTI)
401 | EOFF
402 | 
403 | 
404 | cd "$HOME/Dev Space/Net/llvm/Build"
405 | unset CMAKE_PREFIX_PATH
406 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" cmake -S "$HOME/Dev Space/Net/llvm/Src/llvm-project/llvm" -B . --install-prefix "$HOME/Dev Space/Net/llvm/Inst" -DLLVM_ENABLE_PROJECTS=clang -G "Unix Makefiles"
407 | ...
408 | -- Performing Test HAVE_STEADY_CLOCK -- success
409 | -- Configuring done
410 | -- Generating done
411 | -- Build files have been written to: /Users/sand/Dev Space/Net/llvm/Build
412 |        65.92 real        27.86 user        34.20 sys
413 | 
414 | /usr/bin/time sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="`dirname $PWD`" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" make -j 4 install ; date
415 | ...
416 | -- Installing: /Users/sand/Dev Space/Net/llvm/Inst/lib/cmake/llvm/./TableGen.cmake
417 |      5701.77 real     20778.79 user      1164.39 sys
418 | Tue Sep 14 15:07:26 PDT 2021
419 | ```
420 | Test trivial compile with built clang
421 | ```
422 | mkdir -p "$HOME/Dev Space/Net/tests"
423 | cd "$HOME/Dev Space/Net/tests"
424 | cat >main.c <<'EOFF'
425 | #include <stdio.h>
426 | int main(){
427 | printf("hello you\n");
428 | return 0;
429 | }
430 | EOFF
431 | 
432 | ;: Note: needed -isysroot to find stdio.h
433 | ;: Maybe there is better way to build clang to specify default system search
434 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" "$HOME/Dev Space/Net/llvm/Inst"/bin/clang  -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk main.c
435 | sandbox-exec -D_RX1="$HOME/Dev Space/Net" -D_RW1="$PWD" -D_TMPDIR="$TMPDIR" -f "$HOME/Development/github/macOSSandboxBuild/confined.sb" "`pwd`/a.out"
436 | ```
437 | 


--------------------------------------------------------------------------------
/nomach.sb:
--------------------------------------------------------------------------------
1 | (version 1)
2 | ;; Profile that just blocks mach-lookup
3 | ;; Only used while populating xcrun_db
4 | (allow default)
5 | (deny mach-lookup)
6 | 


--------------------------------------------------------------------------------
/ping.sb:
--------------------------------------------------------------------------------
 1 | (version 1)
 2 | 
 3 | ;; sandbox profile for ping ping6
 4 | 
 5 | ;; For explanation and usage see https://github.com/BrianSwift/macOSSandboxBuild
 6 | 
 7 | (deny default)
 8 | 
 9 | (allow file-read* process-exec 
10 | 	(literal "/sbin/ping")
11 | 	(literal "/sbin/ping6")
12 | )
13 | 
14 | (allow network-outbound
15 |        (literal "/private/var/run/mDNSResponder")
16 |        (remote udp) ; ping
17 | )
18 | 
19 | (allow network-inbound (local udp "*:*")) ; ping
20 | 
21 | (allow file-read-metadata
22 | 	(literal "/var") ; needed for DNS resolution
23 | )
24 | 


--------------------------------------------------------------------------------