diff --git a/Library/Homebrew/formula.rb b/Library/Homebrew/formula.rb
index ab8c9d98d78c61..f3157c82e8db15 100644
--- a/Library/Homebrew/formula.rb
+++ b/Library/Homebrew/formula.rb
@@ -33,6 +33,7 @@
 require "extend/on_system"
 require "api"
 require "extend/api_hashable"
+require "sandbox"
 
 # A formula provides instructions and metadata for Homebrew to install a piece
 # of software. Every Homebrew formula is a {Formula}.
diff --git a/Library/Homebrew/formula_installer.rb b/Library/Homebrew/formula_installer.rb
index 00c5f467751139..29b9d4da152de7 100644
--- a/Library/Homebrew/formula_installer.rb
+++ b/Library/Homebrew/formula_installer.rb
@@ -943,6 +943,7 @@ def build
         sandbox.allow_fossil
         sandbox.allow_write_xcode
         sandbox.allow_write_cellar(formula)
+        sandbox.deny_signal(formula)
         sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build)
         sandbox.exec(*args)
       else
diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index 83dabe5c93aac1..ba923b9cc9a66b 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -11,7 +11,7 @@ class Sandbox
   SANDBOX_EXEC = "/usr/bin/sandbox-exec"
   private_constant :SANDBOX_EXEC
 
-  SANDBOX_REDUCTIONS = [:allow_write_to_temp].freeze
+  SANDBOX_REDUCTIONS = [:allow_write_to_temp, :allow_signal].freeze
 
   sig { returns(T::Boolean) }
   def self.available?
@@ -68,6 +68,14 @@ def allow_write_temp_and_cache(formula = nil)
     allow_write_path HOMEBREW_CACHE
   end
 
+  sig { params(formula: T.nilable(Formula)).void }
+  def deny_signal(formula = nil)
+    puts "deny_signal:  #{formula&.reduced_sandbox&.include?(:allow_signal)}"
+    unless formula&.reduced_sandbox&.include?(:allow_signal)
+      add_rule allow: false, operation: "signal", filter: "target others"
+    end
+  end
+
   sig { void }
   def allow_cvs
     allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"