| SANDBOX(7) | Miscellaneous Information Manual | SANDBOX(7) |
sandbox — overview
of the sandbox facility
#include
<sandbox.h>
The sandbox facility allows applications
to voluntarily restrict their access to operating system resources. This
safety mechanism is intended to limit potential damage in the event that a
vulnerability is exploited. It is not a replacement for other operating
system access controls.
New processes inherit the sandbox of their
parent. Restrictions are generally enforced upon acquisition of operating
system resources only. For example, if file system writes are restricted, an
application will not be able to open(2) a file for
writing. However, if the application already has a file descriptor opened
for writing, it may use that file descriptor regardless of restrictions.
| January 29, 2010 | Mac OS X |