Alexander Presber
Reputation: 6635
sandbox-exec: deny network access but allow socket
I am using MacOSX's sandbox-exec to deny network access for a command (like e.g. described in this article).
Unfortunately this also seems to deny MySQL access to it's socket:
Can't connect to local MySQL server through socket '/tmp/mysql.sock'
The profile-file for sandbox-exec is this:
(version 1)
(allow default)
(deny network*)
Is there a way to restrict only TCP/internet network access but leave socket access unchanged?
Upvotes: 1
Views: 959
Answers (1)
Alexander Presber
Reputation: 6635
Found out. The profile file has to contain (allow network-outbound (to unix-socket)):
(version 1)
(allow default)
(deny network*)
(allow network-outbound (to unix-socket))
Upvotes: 2
Related Questions
- Block network connections other than to localhost
- How to disable socket creation for a Linux process, for sandboxing?
- Sandboxd Deny network-bind error message when binds socket
- How to sandbox third party applications when `sandbox-exec` is deprecated now?
- Do you want the application to accept incoming network connection?
- Sandboxing to allow multiple processes open the same port
- port isolation with bazel and linux
- sandbox fail to access local socket
- Restricting listen port access
- How do I block all network access for a script?