Sandbox 31 Mac OS

Posted on  by

App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised. Apps distributed through the Mac App Store must adopt App Sandbox. Apps signed and distributed outside of the Mac App Store with Developer ID can (and in most cases should) use App Sandbox as well.

“Mac Sandbox V2 Design Doc” on chromium.googlesource.com “macOS: How to run your Applications in a Mac OS X sandbox to enhance security” on paolozaino.wordpress.com “A quick glance at macOS’ sandbox-exec” on jmmv.dev; Further historical background and technical details can be found here: “Sandbox/OS X Rule Set” on the Mozilla wiki. Universe Sandbox v20.6.1 macOS File Size: 549.07 MB. Information: Universe Sandbox? Is a physics-based space simulator. It merges gravity, climate, collision, and material interactions to reveal the beauty of our universe and the fragility of our planet.

At a Glance

Complex systems will always have vulnerabilities, and software complexity only increases over time. No matter how carefully you adopt secure coding practices and guard against bugs, attackers only need to get through your defenses once to succeed. While App Sandbox doesn’t prevent attacks against your app, it does minimize the harm a successful one can cause.

A non-sandboxed app has the full rights of the user who is running that app, and can access any resources that the user can access. If that app or any framework it is linked against contain security holes, an attacker can potentially exploit those holes to take control of that app, and in doing so, the attacker gains the ability to do anything that the user can do.

Mac

Mac Os Versions

Designed to mitigate this problem, the App Sandbox strategy is twofold:

  1. App Sandbox enables you to describe how your app interacts with the system. The system then grants your app the access it needs to get its job done, and no more.

  2. App Sandbox allows the user to transparently grant your app additional access by way of Open and Save dialogs, drag and drop, and other familiar user interactions.

App Sandbox is not a silver bullet. Apps can still be compromised, and a compromised app can still do damage. But the scope of potential damage is severely limited when an app is restricted to the minimum set of privileges it needs to get its job done.

App Sandbox is Based on a Few Straightforward Principles

By limiting access to sensitive resources on a per-app basis, App Sandbox provides a last line of defense against the theft, corruption, or deletion of user data, or the hijacking of system hardware, if an attacker successfully exploits security holes in your app. For example, a sandboxed app must explicitly state its intent to use any of the following resources using entitlements:

  • Hardware (Camera, Microphone, USB, Printer)

  • Network Connections (Inbound or Outbound)

  • App Data (Calendar, Location, Contacts)

  • User Files (Downloads, Pictures, Music, Movies, User Selected Files)

Access to any resource not explicitly requested in the project definition is rejected by the system at run time. If you are writing a sketch app, for example, and you know your app will never need access to the microphone, you simply don’t ask for access, and the system knows to reject any attempt your (perhaps compromised) app makes to use it.

On the other hand, a sandboxed app has access to the specific resources you request, allows users to expand the sandbox by performing typical actions in the usual way (such as drag and drop), and can automatically perform many additional actions deemed safe, including:

  • Invoking Services from the Services menu

  • Reading most world readable system files

  • Opening files chosen by the user

The elements of App Sandbox are entitlements, container directories, user-determined permissions, privilege separation, and kernel enforcement. Working together, these prevent an app from accessing more of the system than is necessary to get its job done.

Relevant chapters:App Sandbox Quick Start, App Sandbox in Depth

Design Your Apps with App Sandbox in Mind

After you understand the basics, look at your app in light of this security technology. First, determine if your app is suitable for sandboxing. (Most apps are.) Then resolve any API incompatibilities and determine which entitlements you need. Finally, consider applying privilege separation to maximize the defensive value of App Sandbox.

Xcode Helps You Migrate an Existing App to App Sandbox

Some file system locations that your app uses are different when you adopt App Sandbox. In particular, you gain a container directory to be used for app support files, databases, caches, and other files apart from user documents. Xcode and macOS support migration of files from their legacy locations to your container.

Relevant chapter:Migrating an App to a Sandbox

Preflight Your App Before Distribution

After you have adopted App Sandbox in your app, as a last step each time you distribute it, double check that you are following best practices.

How to Use This Document

To get up and running with App Sandbox, perform the tutorial in App Sandbox Quick Start. Before sandboxing an app you intend to distribute, be sure you understand App Sandbox in Depth. When you’re ready to start sandboxing a new app, or to convert an existing app to adopt App Sandbox, read Designing for App Sandbox. If you’re providing a new, sandboxed version of your app to users already running a version that is not sandboxed, read Migrating an App to a Sandbox. Finally, before distributing your app, work through the App Sandbox Checklist to verify that you are following best practices for App Sandbox.

Prerequisites

Before you read this document, make sure you understand the overall macOS development process by reading Mac App Programming Guide.

See Also

To complement the damage containment provided by App Sandbox, you must provide a first line of defense by adopting secure coding practices throughout your app. To learn how, read Security Overview and Secure Coding Guide.

An important step in adopting App Sandbox is requesting entitlements for your app. For details on all the available entitlements, see Entitlement Key Reference.

You can enhance the benefits of App Sandbox in a full-featured app by implementing privilege separation. You do this using XPC, a macOS implementation of interprocess communication. To learn the details of using XPC, read Daemons and Services Programming Guide.


Sandbox 31 Mac Os Catalina


Copyright © 2016 Apple Inc. All Rights Reserved. Terms of Use Privacy Policy Updated: 2016-09-13

For Developers‎ > ‎Design Documents‎ > ‎Sandbox‎ > ‎

OSX Sandboxing Design

This document describes the process sandboxing mechanism used on Mac OS X.

Background

Sandboxing treats a process as a hostile environment which at any time can be compromised by a malicious attacker via buffer overruns or other such attack vectors. Once compromised, the goal is to allow the process in question access to as few resources of the user's machine as possible, above and beyond the standard file-system access control and user/group process controls enforced by the kernel.
See the overview document for goals and general architectural diagrams.

Implementation

On Mac OS X versions starting from Leopard, individual processes can have their privileges restricted using the sandbox(7) facility of BSD, also referred to in some Apple documentation as 'Seatbelt'. This is made up of a single API call, sandbox_init(), which sets the access restrictions of a process from that point on. This means that previously opened file descriptors continue working even if the new privileges would deny access to newly created descriptors. We can use this to our advantage by setting up everything correctly at the start of the process then cutting off all access before we expose the renderer to any 3rd party input (html, etc).
Seatbelt does not place restrictions on memory allocation, threading, or access to previously opened OS facilities. As a result, this shouldn't impose any additional requirements or drastically alter our IPC designs.
OS X provides additional protection against buffer overflows. In Leopard, the stack is marked as non-executable memory and thus less susceptible as an attack vector for executing malicious code. This doesn't prevent against buffer overruns in the heap, but for 64-bit apps, Leopard disallows any attempts to execute code unless that portion of memory is explicitly marked as executable. As we move towards 64-bit render processes in the future, this will be another attractive security feature.
sandbox_init() has supports for both predefined sandbox access restrictions and sandbox profile scripts which provide finer grained control.
Chromium uses custom sandbox profiles defined in .sb files in the source tree.
The following profiles are defined (paths relative to root of source directory):
  • content/common/common.sb - used for common setup for all sandboxes.
  • content/renderer/renderer.sb - used for the extension & renderer processes. Enables access to the font server.
  • chrome/browser/utility.sb - used by the utility process. Allows access to a single configurable directory.
  • content/browser/worker.sb - used by the worker process. Most restrictive - no file system access apart from loading system libraries.
  • chrome/browser/nacl_loader.sb - used for running Native Client untrusted (i.e., 'user') code.
One sticky point we run into is that the sandboxed process calls through to OS X system APIs. There is no documentation available about which privileges each API needs, such as whether they need access to on-disk files, or call other APIs to which the sandbox restricts access. Our approach to date has been to 'warm up' any problematic API calls before turning the sandbox on. This means that we call through to the API, to allow it to cache whatever resource it needs. For example, color profiles and shared libraries can be loaded from disk before we 'lock down' the process.
SandboxInitWrapper::InitializeSandbox() is the main entry point for initializing the Sandbox, it performs the following steps:
  • Determines if the current process type needs to be sandboxed and if so, which sandbox configuration to use.
  • 'Warm up' relevant system APIs by calling through to sandbox::SandboxWarmup() .
  • Enable the Sandbox by calling through to sandbox::EnableSandbox() .

Diagnostics

The OS X sandbox implementation supports the following flags:
  • --no-sandbox - Disable the sandbox entirely.
  • --enable-sandbox-logging - Verbose information about which system calls are blocked is logged to syslog.
Debugging Chrome on OS X contains more documentation on debugging and diagnostic tools provided by the Mac OS X sandbox API.

Additional Reading

  • http://www.318.com/techjournal/?p=107
  • sandbox man page (man 7 sandbox)
  • System sandbox files can be found under one of the following paths (depending on the OS Version):
    • /Library/Sandbox/Profiles
    • /System/Library/Sandbox/Profiles
    • /usr/share/sandbox