This makes me sad: % sandbox-exec -p '(version 1) (allow default) (deny file* (subpath "/usr/local") (subpath "/Library/Frameworks"))' gcc test.c cc1: error: /usr/local/include: Operation not permitted cc1: error: /Library/Frameworks: Operation not permitted % echo $? 1