Closed Bug 1186187 Opened 9 years ago Closed 8 years ago

SandboxMirror kernel extension to help reverse engineer Apple's sandbox implementation

Categories

(Core :: Security: Process Sandboxing, defect)

All
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: smichaud, Unassigned)

References

Details

(Whiteboard: sb+)

I plan to write a SandboxMirror extension to help figure out how Apple's sandbox implementation works.  In particular, I'd like a way to better understand the practical consequences of using Apple's sandboxing rules to deny access to particular kinds of resources.  For example, what operations are likely to get messed up if I deny access to a particular file, or disallow certain kinds of mach access?

Currently the best we can do is deny certain kinds of access and see what breaks (and what sandbox violations show up in the system console).  It'd be much better to log certain kinds of access while still allowing them.  That way it'd be much easier to acquire a full understanding of the different kinds of access required during everyday use of the browser, or of particular kinds of browser functionality.

The SandboxMirror kernel extension will be part of a package that has three pieces:

1) The SandboxMirror kernel extension itself.  This will hook the same system calls that Apple's Sandbox kernel extension does, and be capable of triggering the logging of calls to one or more of these hooks, by one process or a number of processes.

2) A daemon/service running as root (like sandboxd), which would receive service requests from SandboxMirror to write logging streams to appropriate locations.

3) A simple app (probably a console app), runnable by an ordinary user (or possibly only an admin user), to configure SandboxMirror and its daemon.  You'd use this to specify that you want to log certain kinds of access, from one or more processes, to a particular file.
See Also: → 1185084, 1186158
Assignee: nobody → smichaud
Assignee: smichaud → nobody
Whiteboard: sb+
I'm actually still working on this, and am close to finishing it.  Once I'm done I'll put it up on Github.

What remains are some minor tweaks, and a comprehensive rewrite/expansion of all the code comments.  I also want to work up (and document) some examples of how it can be useful before I release it.

My ETA is hard to estimate -- two or three months?  I'm not pushing myself as hard as I used to :-)
SandboxMirror version 1.0 is done!  It's available at https://github.com/steven-michaud/SandboxMirror.  Please try it out!

The design is very much as I outlined it in comment #0, but I only needed the first two parts (the kernel extension and the daemon).  Logging for a particular process is configured by setting environment variables in that process.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Hi smichaud! :) Thanks for doing that!

Hey jimm, I assume the folks working on the OS X sandbox will find this invaluable?
Flags: needinfo?(jmathies)
I'm definitely going to give this a try soon. Thanks for putting this together Steven!
(In reply to Haik Aftandilian [:haik] from comment #4)
> I'm definitely going to give this a try soon. Thanks for putting this
> together Steven!

I guess that answers my question. :)
Flags: needinfo?(jmathies)
Hi Mike!  You're both most welcome!

Let me know if you have any questions or problems.  Probably the best place to do that is at the SandboxMirror project's "issues" page https://github.com/steven-michaud/SandboxMirror/issues.

I'm also very interested in finding out how you use it, particularly if it's something I wouldn't have anticipated.  And do let me know if there's something it can't (yet) do that you'd find particularly useful.

I've got some ideas of my own for new functionality, but I don't yet know how to accomplish them.  For the next few months I'll be writing another kernel extension -- one that works with interpose libraries in more ways than (and without so many limitations as) Apple's own DYLD_INTERPOSE_LIBRARIES functionality.  I'm not entirely sure that's possible.  But if it is, I'll learn things that'll help with future versions of SandboxMirror.
> DYLD_INTERPOSE_LIBRARIES 

Oops, DYLD_INSERT_LIBRARIES.
> For the next few months I'll be writing another kernel
> extension -- one that works with interpose libraries in more
> ways than (and without so many limitations as) Apple's own
> DYLD_INTERPOSE_LIBRARIES functionality.

It took	longer than "the next few months", but I've finished it:

https://github.com/steven-michaud/HookCase

It's everything	I hoped for:  A full reimplementation of Apple's
DYLD_INSERT_LIBRARIES functionality, but substantially more powerful
and without Apple's limitations.  Please check it out!
This brings a tear of joy to my eye.
You need to log in before you can comment on or make changes to this bug.