Sample Header Ad - 728x90

Is it possible to harden a launchd service?

2 votes
1 answer
62 views
security launchd firewall launch-services
I use [syncthing](https://syncthing.net/) for backups and data sync. In Linux, I run it via a systemd hardened unit, restricting what directories the process can read, access to privileged kernel ops and, most important, I restrict TCP/UDP traffic to a particular subnet, to ensure no data egress happens. I'm installing it on a Mac laptop via Brew which uses launchd to run it, the file is this one: 
KeepAlive
	
	Label
	homebrew.mxcl.syncthing
	LimitLoadToSessionType
	
		Aqua
		Background
		LoginWindow
		StandardIO
		System
	
	ProgramArguments
	
		/opt/homebrew/opt/syncthing/bin/syncthing
		-no-browser
		-no-restart
	
	RunAtLoad
	
	StandardErrorPath
	/opt/homebrew/var/log/syncthing.log
	StandardOutPath
	/opt/homebrew/var/log/syncthing.log
I've done some research and I could not found a way to harden security. I can live without data and privileged access restrictions, but I'd like to ensure no data egress happens. Is this possible? Note: tried sandbox-exec, but it does not support IP addresses (error: sandbox-exec: host must be * or localhost in network address)
Asked by Sebastian (161 rep)
Apr 11, 2025, 10:52 AM
Last activity: May 12, 2025, 11:04 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Ask Different (Apple)

More questions tagged "security"
More questions tagged "launchd"
More questions tagged "firewall"
Footer Ad - 728x90