pub fn build_macos_sbpl(caps: &Capabilities, cwd: &Path) -> StringExpand description
Build a macOS Seatbelt (SBPL) profile string from the declared
capabilities. The profile starts from (deny default) and grants
only what caps explicitly allows.
References:
- Apple’s Seatbelt is undocumented but stable; community references exist
at chromium.googlesource.com and
in macOS’s own
/System/Library/Sandbox/Profiles/. - Apple has signalled
sandbox-execis deprecated. The stable replacement for our use case (user-controlled child sandboxing) is the Endpoint Security framework, which is heavyweight and requires entitlements; that migration is a future track. Until thensandbox-execworks.