Blocking a Program's Network Access in OSX Leopard with Sandboxing

I'm kind of paranoid about my various programs pinging home all the time. It's a ridiculous practice, and simply unsafe, right? While Little Snitch is a common solution for blocking individual programs' access to the internet, it uses up precious RAM. Luckily, OSX Leopard has a sparsely-documented but infinitely useful tool called a Sandbox. There are many uses for Sandboxing, but right now I'm just using it to launch a program and prevent that program's network access.

Step 1: Create a basic Sandbox file in a text editor

Use TextEdit or TextWrangler to create your Sandbox text file, and save it with a .sb file extention. For practicality and possible re-use with additional programs, let's name it no-network.sb. Here's the text you want in your file:


(version 1)
(debug deny)
(allow default)
(deny network*)


Double-check that your file is not using rich text, and save your changes. The next step will let us pick which program launches with this new no-network parameter.

Step 2: Sandboxing Your Program Using AppleScript

The second-neatest thing Apple ever came up with is Applescript. It lets you automate a program with specific parameters, and in the case of Sandboxing, Applescript gives us a convenient way to launch our program without repeatedly opening up the terminal and entering lengthy commands.

Open up the Script Editor and enter the following:

do shell script "sandbox-exec -f " and then drag your .sb file from the Finder, wherever you saved it, into the parenthesis. This saves us from having to type out the full location of the file.

Mine looks like do shell script "sandbox-exec -f /Users/micropony/Documents/Sandbox/no-network.sb "

The next thing to add to the command is very important; it's the program you want to launch with Sandbox parameters. Drag the UNIX executable file of your target program into the parenthesis of your script, after your .sb file. In this example case I will use Safari.

Finding the UNIX executable file for a program is easy. Ctrl+click on your program and select "Show Package Contents." Expand the resulting "Contents" folder, and then the "Mac OS" folder. Voila. Drag the executable into your script, within the parenthesis.

Mine looks like do shell script "sandbox-exec -f /Users/micropony/Documents/Sandbox/no-network.sb /Applications/Safari.app/Contents/MacOS/Safari"



Save your AppleScript as an application (not a Script), and use this to launch your program from now on. See, no internet access for Safari now:



Note: If you've got blank spaces in your file path name, AppleScript gets bitchy. Let's say that your program location is at /Applications/Microsoft Office 2008/Microsoft Word.app/Contents/MacOS/Microsoft Word. You will need to express the path with a ? in lieu of any blank spaces. In your AppleScript, the file location in this case should be /Applications/Microsoft?Office?2008/Microsoft?Word.app/Contents/MacOS/Microsoft?Word.

Presto, no more resolving path errors.

Good luck, and go create script programs for anything you don't want to phone home. Thanks neon_electro for getting me thinking about this.

Collective Playlist

Web music geeks take note, the Collective Playlist is really coming along. It's a social music project (of the nebulous Web 2.0 variety) in which you can share, play and basically DJ playlists. It's the internet's version of a mixtape, sans the boring hipster irony. See Muxtape for that.

Some great features written into the code includes a script to constantly comb out dead links that the site's music crawler indexed, and a form for users to manually submit new blogs for the Collective Playlist spider.

Open Sound Control

Tonight in the Songbird offices, I went to see Andy Schmeder give a talk about the implementations of Open Sound Control, a protocol that works in the same vein as MIDI, but can also bundle messages and be sent over networks. Really cool stuff. Anyway, Andy basically curates the protocol at Berkeley's CNMAT and gave some insight on how they expect musicians, software developers, and hardware developers to use and improve OSC (it's open source!)

Some other highlights from the meetup include:

- Jonas Norberg presented on his Open Source analogue synth VST plugin - Helix.
- Peter Nyober on the Livid instruments OHM controller.
- Presentation by The Pioneers of the Inevitable on extending their Mozilla based Songbird music media platform.

Thomas Ankersmit

Thomas Ankersmit recently played a noise/electronic show here in San Francisco and completely outshined his headliner, Phil Niblock.

Both come from the school of droning and sometimes primal noise/electronica, but Ankermit had a live saxophone element to his performance that really captivated everyone. Although he was never trained on any instruments, he used the nearly impossible technique of circular breathing to sustain notes for five minutes on end while his modular synthesizers built layers of glitch in the background.

I completely recommend checking his stuff out.

Radicalfashion

radicalfashion / Photo Dynasmo



Japanese experimental music gurus Radicalfashion have been a favorite of mine for some time now, but I just found this gorgeous video that the group put together. Based on their song Photo Dynasmo.

microKORG patches

Still warming up to my new microKORG and discovering that it has a healthy relationship with my computer. KORG provides a free sound editor for your pc or mac, and I just ran across a shitload of free patches you can download to your microKORG through a midi cable.

• microKORG acoustic sound patches
• general microKORG and MS2000 patches
• general microKORG and MS2000 (more)patches
• Producer's Edge Mag microKORG patches
• Producer's Edge Mag microKORG (more)patches
  

the freeze, austin, february 2007

help renan