#StackBounty: #macosx #sandbox Doing builds in a sandbox

Bounty: 50

I’m keen to start allowing people to build Electron apps on my cloud infrastructure.

On Linux the security I’m employing is with throwaway Docker containers. I know it’s not 100% secure but it’s better than just executing them in the folder somewhere.

Now, I’m offering the opportunity to build on a Mac. It needs to be within the OS as the build relies on the hdiutil package.

The trouble is, on Mac, I don’t know how to lock a user into a folder with basically no permissions except to run the installer. The environment would also need to be cleaned between each build.

How would I go about running a command with a non-privileged user, ensuring the script cannot break out of the folder in question? I looked into jailed roots, but I wondered if this was the most appropriate way to do this.

I have also looked into virtualisation, but initially I’ll only have one virtualised Linux server to do this with – having virtualised OSX instances on there too might not be possible in the first instance. I’m not even sure if it’s legal to virtualise OSX for a service?

I have also seen a method described here:

https://paolozaino.wordpress.com/2015/08/04/how-to-run-your-applications-in-a-mac-os-x-sandbox-to-enhance-security/

Is this a good idea?

Just a heads up, the build command is actually a Node.js “bin”, executed like this:

$(pwd)/node_modules/.bin/build -m


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.