The sandbox-exec(1) functionality allows you to restrict process behavior. This could be used to prevent builds from writing outside the build dir, and might allow hiding /usr/local as well for reliability.
Log in to post a comment.
