MacRuby has a Sandbox class which restricts an application's access to the network, the file system, etc. The Sandbox class is implemented using the sandbox(7) in MacRuby.

For instance, you can easily restrict your application from accessing the network by calling Sandbox.no_network.apply!. Ruby methods and Cocoa APIs are both restricted by the Sandbox.

>> framework 'Cocoa'
>> require 'socket'
>> Sandbox.no_network.apply!
>> Socket.gethostbyaddr("apple.com")
SocketError: host not found
	
>> NSHost.hostWithName("apple.com")
=> <NSHost 0x40121eb80> (null) ((
) (
))

The Sandbox is a good companion to the standard Ruby $SAFE functionality. You may use the Sandbox and $SAFE at the same time.

The Sandbox can restrict your application in the following ways:

• TCP/IP networking is prohibited.
• All sockets-based networking is prohibited.
• File system writes are prohibited.
• File system writes are restricted to temporary folders.
• All operating system services are prohibited.

Keep in mind that

• Restrictions cannot be changed after being applied.
• Restrictions are applied with respect to each process.

Restricts TCP/IP networking in current process.

• no_internet -> Sandbox
  • [RETURN]
    • Returns a Sandbox instance.

Restricts all sockets-based networking in current process.

• no_network -> Sandbox
  • [RETURN]
    • Returns a Sandbox instance.

Restricts write access in current process.

• no_writes -> Sandbox
  • [RETURN]
    • Returns a Sandbox instance.

Restricts writing outside temporary folders in current process.

• temporary_writes -> Sandbox
  • [RETURN]
    • Returns a Sandbox instance.

Restricts all operating system services in current process.

• pure_computation -> Sandbox
  • [RETURN]
    • Returns a Sandbox instance.

Applies the restriction.

• apply!