{"id":13782176,"url":"https://github.com/0xbf00/simbple","last_synced_at":"2025-12-24T14:18:49.414Z","repository":{"id":59407528,"uuid":"143993665","full_name":"0xbf00/simbple","owner":"0xbf00","description":"macOS Sandbox Profile Language (SBPL) Interpreter","archived":false,"fork":false,"pushed_at":"2020-05-24T18:15:44.000Z","size":194,"stargazers_count":47,"open_issues_count":2,"forks_count":10,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-17T17:43:00.982Z","etag":null,"topics":["macos","sandbox","sbpl","security"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xbf00.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-08T09:47:34.000Z","updated_at":"2024-11-09T05:27:34.000Z","dependencies_parsed_at":"2022-09-16T16:30:05.296Z","dependency_job_id":null,"html_url":"https://github.com/0xbf00/simbple","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbf00%2Fsimbple","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbf00%2Fsimbple/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbf00%2Fsimbple/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbf00%2Fsimbple/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xbf00","download_url":"https://codeload.github.com/0xbf00/simbple/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253588661,"owners_count":21932297,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macos","sandbox","sbpl","security"],"created_at":"2024-08-03T18:01:33.745Z","updated_at":"2025-12-24T14:18:49.407Z","avatar_url":"https://github.com/0xbf00.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"# simbple\n\nThis project aims to document the inner workings of Apple's App Sandbox and to provide a way to obtain plaintext sandbox profiles for third-party apps.\n\nSandboxing for third-party applications is configured using entitlements. Under the hood, these entitlements are turned into a full sandboxing profile by libsandbox. For this, an abstract base profile, containing both SBPL statements and Scheme code, is evaluated, which generates the final ruleset for an app. Unfortunately, only the compiled profile is returned and the plaintext version cannot be audited.\n\nThe `simbple` tool reimplements the profile evaluation process done in `libsandbox` but outputs correct, human-readable SBPL output. The output can be manually audited, automatically patched, manually modified or simply be compiled to profile bytecode using Stefan Esser's tools.\n\n## Compilation\n\n`simbple` depends on `cmake`, `argp` and `nlohmann/json`. The dependencies can be installed using homebrew:\n\n```sh\n$ brew tap nlohmann/json\n$ brew install cmake nlohmann_json argp-standalone\n```\n\nTo build the project\n\n```sh\n$ mkdir build\n$ cd build\n$ cmake ../src\n$ make\n```\n\n## Usage\n\nAs input, the `simbple` tool takes the `Container.plist` file for the target app. This is done so that the same parameters used during the initial sandbox compilation process can be used and the resulting profiles can be verified to be correct. In case an application does not have the required file, simply launch the app once to generate it. If it's still not there, ensure the application is sandboxed, for example by consulting `Activity Monitor.app`.\n\nHere is the full command-line interface to the tool:\n\n```sh\n$ ./simbple --help\n\nUsage: simbple [OPTION...] CONTAINER_METADATA\nEvaluate a SBPL (+ Scheme) profile\n\n  -o, --output=FILE          Output file\n  -p, --profile=PROFILE      Base profile to evaluate. Defaults to\n                             application.sb profile.\n      --platforms=PLATFORM   sierra, high_sierra (default)\n\n Output formats:\n      --json                 Output as JSON\n      --scheme               Output as SCHEME / SBPL\n\n Misc options:\n      --patch                Patch the output profile to log all statements.\n      --verify               Verify semantic correctness of generated results\n\n  -?, --help                 Give this help list\n      --usage                Give a short usage message\n  -V, --version              Print program version\n\nMandatory or optional arguments to long options are also mandatory or optional\nfor any corresponding short options.\n\nThe output is a simplified SBPL profile that can be analysed, modified and\ncompiled as is.\n```\n\nTo obtain the plaintext sandbox profile for `Calculator.app`, execute the following command\n\n```sh\n$ ./simbple ~/Library/Containers/com.apple.calculator/Container.plist\n```\n\nThe output can be verified to be correct using the `--verify` flag. The program exits with a non-zero status code if verification fails.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbf00%2Fsimbple","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xbf00%2Fsimbple","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbf00%2Fsimbple/lists"}