Context
When examining Apple’s sandbox profiles you’ll often encounter “mystery” symbols such as:
(when (entitlement "com.apple.security.network.client")
(network-client))At first glance (network-client) seems magical — but it’s simply a macro defined elsewhere. So, where do these definitions actually live?
System Sandbox Profiles
The answer is in the system’s sandbox policy sources, which macOS ships in two main locations:
/System/Library/Sandbox/Profiles→ high-level application profiles (e.g.application.sb)./usr/share/sandbox/→ lower-level or system service profiles (e.g.bluetoothd.sb).
These files use a Scheme-like language. Knowing where they are is the first step—but how do we trace what a macro like (network-client) really means?
Tracing a Macro
To answer that, remember that macros are declared with the define form:
(define (<macro-name>) ...)To locate the definition of (network-client), search for it within the system profiles:
grep -R --line-number '(define (network-client)' \ /System/Library/Sandbox/Profiles /usr/share/sandbox/
Example output:
/System/Library/Sandbox/Profiles/appsandbox-common.sb:415:(define (network-client)
Opening the file reveals the full macro definition:
(define (network-client)
(system-network)
(allow network-outbound (remote ip))
(allow mach-lookup
(global-name
"com.apple.NetworkDiagnostic.agent"
"com.apple.WebKit.PluginAgent"
"com.apple.airportd"
"com.apple.cfnetwork.AuthBrokerAgent"
"com.apple.cfnetwork.cfnetworkagent"
"com.apple.corewlan-xpc"
"com.apple.nesessionmanager.content-filter"
"com.apple.networkserviceproxy.fetch-token"
"com.apple.nsurlsessiond")))Understanding these macros shows how Apple translates simple entitlements into very concrete sets of rules. Instead of thinking “this entitlement allows networking,” you can see the precise allow clauses that are granted.
Hope it helps!