Hi,
I have noticed that while running CrossOver on macOS that the guest applications have read and write permissions to the users profile folder, I thought this is not a good thing if the application could possibly contain malware.
So, I did a little investigation and I have found a handy way to run CrossOver (and its guest applications) through the macOS sandbox.
Using the 'sandbox-exec' command I have been able to create a config file which will block (at least write access) to the host's User folders while still allowing the bottle path to be fully accessible to the application.
Below is the configuration file, you will need to change the user name in the file to your username as environment variables are not supported inside the config. I have set this up to run from the user desktop folder, but it can be edited to run from anywhere.
config.sb
(version 1)
(allow default)
(deny network*)
(allow network* (local ip "localhost:*"))
(allow network* (remote ip "localhost:*"))
(allow network* (remote unix-socket))
(deny file-write*
(subpath "/Applications")
(subpath "/Users")
(subpath "/System")
(subpath "/Library")
)
(allow file-write*
(subpath "/Users/YOURUSERNAME/Library/Application Support/CrossOver")
)Also, here is the shell script to run crossover securely. You may need to make the script executable (chmod +x ./CXsecure.command)
CXsecure.command
#!/bin/sh
sandbox-exec -f ~/Desktop/config.sb /Applications/CrossOver.app/Contents/MacOS/CrossOver & disown
exitThe config file can be modified to allow or disallow all sorts of permissions.
If you find this useful or have suggestions please reply to this post.
Have fun.