I was just messing with Apple’s sandbox implementation to see if it was possible to close a “vulnerability” in iTunes (more on that later after Apple answers my email) and decided to experiment with something that has been in my mind for a long time and never bothered to try. The idea is to use the sandbox feature to find, for example, hidden files that applications use for serial numbers, time limits, demo limits, etc, or to trace install scripts or malware. In this last case, I find fs_usage too noisy to be really useful. If we deny any kind of writing we can easily follow what the program is trying to write, improving this process.
Documentation on Apple’s sandbox is scarce, with the best references being the presentation by Dionysus Blazakis (here and here) and some scripts by s7ephen (here). You can also find Apple sandbox scripts at /usr/share/sandbox.
You can adapt these scripts and make them more or less granular, where the most important part in this case is to deny all type of file writing. Most probably you will need to tweak this and allow some writing to known files else the application will not start.
The errors are always logged to /var/log/system.log, so the best idea is to tail -f that file to watch the errors and fix them.
This is an example of TranslateIt! Deluxe trying to write some hidden files known to be protection related:
Aug 30 23:04:15 desktop sandboxd: TranslateIt!(3233) deny file-write* /Users/myself/Library/Preferences/.ti_tick_stmp_14.0 Aug 30 23:04:15 desktop sandboxd: TranslateIt!(3233) deny file-write* /Users/myself/Library/Preferences/.ti_tick_dy_14.0
When you are tweaking the scripts you might get some weird crashes. These seem to be related to missing permissions on mach-lookup rule. Check /usr/share/sandbox/bsd.sb. The configuration for this rule seems to help on these crashes!
Maybe I will try to write a document about sandbox rules and features. It’s a useful security feature although not perfect! Better than nothing.
Have fun messing with the scripts!