sandbox-exec: macOS's Little-Known Command-Line Sandboxing Tool
Summary
The article explains macOS sandbox-exec, a built-in command-line tool that runs applications in a sandbox to limit resource access. It covers how to create sandbox profiles, the two main approaches to sandboxing (deny-by-default and allow-by-default), practical examples, debugging tips, and limitations. It also notes that Apple discourages direct use in favor of App Sandbox, but highlights sandbox-exec's utility for security-focused testing.