This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

For more information about the manual page format, see the manual page for manpages(5).

SANDBOX(7)           BSD Miscellaneous Information Manual           SANDBOX(7)

NAME
     sandbox -- overview of the sandbox facility

SYNOPSIS
     #include <sandbox.h>

DESCRIPTION
     The sandbox facility allows applications to voluntarily restrict their access to operating system
     resources.  This safety mechanism is intended to limit potential damage in the event that a vulnerabil-ity vulnerability
     ity is exploited.  It is not a replacement for other operating system access controls.

     New processes inherit the sandbox of their parent.  Restrictions are generally enforced upon acquisi-tion acquisition
     tion of operating system resources only.  For example, if file system writes are restricted, an appli-cation application
     cation will not be able to open(2) a file for writing.  However, if the application already has a file
     descriptor opened for writing, it may use that file descriptor regardless of restrictions.

SEE ALSO
     sandbox-exec(1), sandbox_init(3), sandbox-compilerd(8)

Mac OS X                         July 7, 2007                         Mac OS X