Comment by eneveu
2 days ago
Interesting. Do I get this sandboxing out of the box when I install apps with Homebrew? Or do I need to do something specific?
Would love to enable this for all apps, and add exceptions for the ones that need more access.
I installed Lulu and BlockBlock recently, and want to do more to harden my Mac.
This hardening is enabled by default with Gatekeeper. That includes Homebrew apps, unless you disable it.
When an app tries to access something outside of its sandbox, you get a notification asking to approve or deny. Full Disk Access I think needs to be explicitly given on System Settings (Privacy & Security -> Full Disk Access).
That's probably all the hardening the average person needs. BlockBlock because most malware tries to get persistence. Little Snitch or LuLu for fine-grained whitelisting of network requests for any apps that have plugins (e.g. you give Documents permissions to Obsidian, plugins inherit that, but they can't exfiltrate if you only allow requests to trusted domains).