allow setugid with sandbox-exec

What you’re trying to do is not supported:

• We don’t support running applications as root.

• We don’t documented the sandbox programming language for third-party use.

What’s your high-level goal here? With more background I might be able to point you a supported option.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo left some comments on your reply but it looks like they disappeared. Thanks for the quick reply.

I'm trying to run a nodejs process in a sandbox so that it doesn't have access to the filesystem outside of its directory. The node process needs to spawn Chrome however, which I'm trying to run without the sandbox.

We don’t support running applications as root.

I'm not trying to run Chrome as root, I just noticed that when I started it with sudo, it worked.

We don’t documented the sandbox programming language for third-party use.

I understand, I was just hoping for pointers. :)

I'm trying to run a nodejs process in a sandbox so that it doesn't have access to the filesystem outside of its directory. The node process needs to spawn Chrome

I don’t think there’s any good way to achieve this goal. While you might reasonably be able to reverse engineer the sandbox and apply that to your Node.js code, it’s very unlikely that Chrome will tolerate being run in that sandbox. It’s way too big for that. Eventually you’ll fall into a hole where Chrome expects to be able to do something and can’t because of your sandbox.

If I were in your shoes I’d investigate running this stuff in a VM. That provides good isolation while allowing the code to run in the environment that it expects. And if a macOS VM is too ‘heavy’, you could use a Linux VM instead.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Ok, I found a way. If sandbox-exec calls Chrome directly, things break, but calling a wrapper that then calls Chrome is ok:

(version 1)
(allow default)
(allow network*)
(deny file* (subpath "/Users/nicolas"))
(allow file-read-metadata (subpath "/Users/nicolas"))
(deny file* (subpath "/Applications"))
(deny file* (subpath "/Users/nicolas/Applications"))
(allow file* (subpath "/Users/nicolas/Library/Application Support"))
(allow process-exec
    (literal "/bin/ps")
    (literal "/path/to/chrome-runner")
    (with no-sandbox)
    )

The "chrome runner":

#!/bin/sh
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

$ /usr/bin/sandbox-exec -f ./profile.sb ./chrome-runner
... actually opens Chrome

I know this is a little unorthodox, but thanks for your patience Quinn!