Added new build target for running application inside sandbox

Makefile

@@ -5,7 +5,6 @@ FLAGS += \
 SOURCES = $(wildcard src/*.cpp src/*/*.cpp) \
 	ext/nanovg/src/nanovg.c
 
-
 include arch.mk
 
 ifeq ($(ARCH), lin)
@@ -57,6 +56,11 @@ ifeq ($(ARCH), win)
 	env PATH=dep/bin:/mingw64/bin ./$<
 endif
 
+sandbox-run: $(TARGET)
+ifeq ($(ARCH), mac)
+	sandbox-exec -f ./Rack.sb `which sh` -c 'DYLD_FALLBACK_LIBRARY_PATH=dep/lib ./$<'                                                                      2 ↵  ✹ ✭sandbox ‹2.4.2›
+endif
+
 debug: $(TARGET)
 ifeq ($(ARCH), lin)
 	LD_LIBRARY_PATH=dep/lib gdb -ex run ./Rack

Rack.sb

@@ -0,0 +1,58 @@
+
+(version 1)
+(debug allow)
+
+; This is needed for IPC on OSX >= 10.6
+(allow ipc-posix-shm)
+
+; Allow inbound and outbound connections
+(allow network-outbound)
+(allow network-inbound)
+
+; Allow reading with sysctl
+(allow sysctl-read)
+
+; Allow it to read metadata
+(allow file-read-metadata)
+
+; Allow it to run processes and fork
+(allow process*)
+
+; Allow it to signal self
+(allow signal)
+
+(allow iokit-open)
+
+(allow mach-lookup)
+
+(allow system-socket)
+
+; Allow file reading
+(allow file-read*
+    (regex
+        #"^/Applications/Rack.app"
+        #"^/Library/*"
+        #"^/System/Library/*"
+        #"^/usr/*"
+        #"^/dev/*"
+        #"/Users/jon/Projects/Rack"
+        #"/Users/[^.]+/Library/Saved Application State/com.vcvrack.rack.savedState"
+    )
+)
+
+; Allow write access to a subset of the above
+(allow file-write*
+    (regex
+        #"^/private/var/*"
+        #"^/private/tmp/*"
+        #"^/var/folders/th/*"
+    )
+)
+
+(allow file-issue-extension
+    (regex
+        #"^/private/var/*"
+    )
+)
+
+(deny default)