seatbelt-sandboxer

# macOS Seatbelt Sandbox Profiling Generate minimally-permissioned allowlist-based Seatbelt sandbox configurations for applications. ## When to Use - User asks to "sandbox", "isolate", or "restrict" an application on macOS - Sandboxing any macOS process that needs restricted file/network access - Creating defense-in-depth isolation if supply chain attacks are a concern ## When NOT to Use - Linux containers (use seccomp-bpf, AppArmor, or namespaces instead) - Windows applications - Applications that legitimately need broad system access - Quick one-off scripts where sandboxing overhead isn't justified ## Profiling Methodology ### Step 1: Identify Application Requirements Determine what the application needs across these resource categories: | Category | Operations | Common Use Cases | |----------|------------|------------------| | **File Read** | `file-read-data`, `file-read-metadata`, `file-read-xattr`, `file-test-existence`, `file-map-executable` | Reading source files, configs, libraries | | **File Write** | `file-write-data`, `file-write-create`, `file-write-unlink`, `file-write-mode`, `file-write-xattr`, `file-clone`, `file-link` | Output files, caches, temp files | | **Network** | `network-bind`, `network-inbound`, `network-outbound` | Servers, API calls, package downloads | | **Process** | `process-fork`, `process-exec`, `process-exec-interpreter`, `process-info*`, `process-codesigning*` | Spawning child processes, scripts | | **Mach IPC** | `mach-lookup`, `mac...