Skip to content

Glossary

SBPL (Sandbox Profile Language)

A Scheme-derived DSL Apple uses to write sandbox profiles. Compiled to bytecode by libsandbox; evaluated by Sandbox.kext on every controlled syscall.

SBPL — Sandbox Profile Language — is the Scheme-derived DSL Apple uses to write sandbox profiles. Every sandboxed process on macOS runs under a compiled SBPL program.

A profile is a sequence of (allow|deny) <operation> <filters>... rules:

(version 1)
(deny default)
(allow file-read* (subpath "/usr/lib"))
(allow mach-lookup (global-name "com.apple.cfprefsd.agent"))
(allow network-outbound)

Operations cover every controlled syscall class: file-*, mach-*, signal, process-*, iokit-open, network-*. Filters match by path, regex, Mach port name, file extension, xattr, and dozens more.

libsandbox compiles textual SBPL into compact bytecode the kernel can evaluate efficiently. The bytecode is handed to Sandbox.kext via sandbox_apply(); from then on it runs on every controlled syscall the process makes.

System base profiles live at /System/Library/Sandbox/Profiles/ — many are readable directly. Apps embed their profile via the com.apple.security.app-sandbox entitlement, generating rules from each declared entitlement.

See also: sandbox, entitlement, and the sandbox profiles article.