Description of the SBPL - The Apple SandBox Policy Language
This is a description of the different primitives available in the SBPL - a language derived from TinyScheme used to describe what is allowed or denied to a process running on MacOSX 10.5 or higher operating system.
SBPL is a powerful language where one can construct simple one line rules or more complex program constructs. Unfortunately there is no real documentation available anywhere.
For those interested, there is a SBPL policy syntax file for vim available for download among with some install instructions.
- File and disk handling primitives
- Interprocess communication
- Networking
- Process handling
- System environment control
File and disk handling primitives
- (file*) - this rule applies for ALL file operations
- (file-chroot)
- (file-ioctl)
- (file-read*) - this rule applies for ALL file read types operations
- (file-read-data)
- (file-read-metadata)
- (file-read-xattr)
- (file-revoke)
- (file-write*) - this rule applies for ALL file write types operations
- (file-write-data)
- (file-write-flags)
- (file-write-mode)
- (file-write-mount)
- (file-write-owner)
- (file-write-setugid)
- (file-write-times)
- (file-write-unmount)
- (file-write-xattr)
- literal
- regex
- subpath
Interprocess communication
- (ipc*) - this rule applies for ALL ipc types operations
- (ipc-posix*)
- (ipc-posix-sem)
- (ipc-posix-shm)
- (ipc-sysv*) - this rule applies for ALL ipc-sysv types operations
- (ipc-sysv-msg)
- (ipc-sysv-sem)
- (ipc-sysv-shm)
- (mach*) - this rule applies for ALL mach types operations
- (mach-bootstrap)
- (mach-lookup)
- (mach-priv*) - this rule applies for ALL mach-priv types operations
- (mach-priv-host-port)
- (mach-priv-task-port)
- (mach-task-name)
Networking
- (network*) - this rule applies for ALL network types operations
- (network-inbound)
- (network-bind)
- (network-outbound)
Network rule modifiers.
- unix
- ip
- ip4
- ip6
- tcp
- tcp4
- tcp6
- udp
- udp4
- udp6
Process handling
- (process*) - this rule applies for ALL process types operations
- (process-exec)
- (process-fork)
System environment control
- (send-signal)
- (signal)
- (sysctl*) - this rule applies for ALL sysctl types operations
- (sysctl-read)
- (sysctl-write)
- (system*) - this rule applies for ALL system types operations
- (system-acct)
- (system-audit)
- (system-fsctl)
- (system-lcid)
- (system-mac-label)
- (system-nfssvc)
- (system-reboot)
- (system-set-time)
- (system-socket)
- (system-swap)
- (system-write-bootstrap)
- (job-creation)
- (mach-per-user-lookup)
Modifiers
- no-log
- no-sandbox
- no-profile - This is the same as no-sandbox
- send-signal
Last modified: Wed Jun 23 10:12:28 CEST 2010