<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>sandboxd on Wojciech Reguła</title><link>/tags/sandboxd/</link><description>Recent content in sandboxd on Wojciech Reguła</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© Wojciech Reguła</copyright><lastBuildDate>Thu, 16 Jul 2026 10:00:00 +0000</lastBuildDate><atom:link href="/tags/sandboxd/rss.xml" rel="self" type="application/rss+xml"/><item><title>Crossing the Golden Gate: macOS's New Application Support Protection</title><link>/post/golden-gate-appdata-protection/</link><pubDate>Thu, 16 Jul 2026 10:00:00 +0000</pubDate><guid>/post/golden-gate-appdata-protection/</guid><description>Summary Looks like moving the user&amp;rsquo;s TCC db to /private/var/containers/Data/ProtectedSystem/[UUID]/Data/Library/Application Support/com.apple.TCC/ was not the only change in the whole privacy castle of macOS 27. (What btw was a great move as now attackers with full disk access permissions can&amp;rsquo;t modify your privacy settings)
macOS 27 quietly ships a new privacy mechanism I hadn&amp;rsquo;t seen documented anywhere: it extends the com.apple.macl protection that has always guarded sandboxed apps&amp;rsquo; ~/Library/Containers/&amp;lt;bundle-id&amp;gt;/Data folders to a hand-picked set of non-sandboxed apps&amp;rsquo; ~/Library/Application Support/&amp;lt;name&amp;gt; folders too.</description></item></channel></rss>