Script to run a command in an isolation

chamber.sh

#!/usr/bin/env bash

set -e

# list of Nix packages to install
NIX_PACKAGES="darwin.shell_cmds"

XCODE_DERIVED_DATA="$HOME/Library/Developer/Xcode/DerivedData"
WORKING_DIRECTORY=$PWD

PROFILE="(version 1)
(debug deny)

;; by default deny everything
(deny default)

;; allow sending signals to itself and processes in the same group
(allow signal (target same-sandbox))

;; allow outbound internet
(allow network-outbound)

;; lookup of IPC communications/messages like PowerManagement
(allow mach-lookup)

;; read POSIX shared memory
(allow ipc-posix-shm-read-data)
(allow ipc-posix-shm-read-metadata)

;; access to notifications
(allow ipc-posix-shm
       (ipc-posix-name \"apple.shm.notification_center\")
       (ipc-posix-name \"com.apple.AppleDatabaseChanged\"))

;; allow execution of programs
(allow process*)
(allow process-exec (subpath \"/usr\"))

;; packages installed via Nix
(allow process-exec (subpath \"/nix/store\"))
;; Xcode.
(allow process-exec (subpath \"/Applications/Xcode.app/Contents\"))

; Allow reading system information like #CPUs, etc.
(allow sysctl-read)

;; make FS read only
(allow file-read* (subpath \"/\"))

; Standard devices.
(allow file* (subpath \"/dev\"))

;; allow writes to temp directories
(allow file* (subpath \"/private/tmp\"))
(allow file* (subpath \"/private/var/folders\"))

;; all write to working dir and Xcode's Derived Data
(allow file* (subpath \"$PWD\"))
(allow file* (subpath \"$XCODE_DERIVED_DATA\"))

;; uncomment to dump traces
;; (trace \"trace_dumps.sb\")
"

PROFILE_LOCATION="$TMPDIR/chamber.sb"
echo "$PROFILE" > $PROFILE_LOCATION

# I wasn't able to successfully run xcode builds within a nix shell
# that's why we use Nix to compute a PATH for the packages and then
# use it for sandboxing.
NIX_SHELL_PATH=$(nix-shell --packages ${NIX_PACKAGES} --pure --run "echo \$PATH")
PATH=/bin:/usr/bin:/usr/local/bin/:$NIX_SHELL_PATH sandbox-exec -f $PROFILE_LOCATION $*