[duncanwilcox]

The Sandbox makes me sad.

Remove exploits of a single poorly written app spreading to the rest of my Mac and taking over make me sadder.

[darren_]

It's not even 'poorly written', it's nearly every non-trivial C/C++ app, over a long enough time, turns out to have _something_ exploitable in it.

[dogfu]

sigh

Does that include the sandbox itself, which was written in C?

[darren_]

Yes? But it presents a much smaller attack surface (as compared to the attack surface presented by the set of applications you might otherwise run under a sandbox). And it's maintained/secured by one vendor instead of the set of vendors that distribute the applications you might otherwise run under the sandbox.

[kenferry]

Ah, but the sandbox profile are written in scheme! So clearly all good.