Mark RoweZola2024-12-01T00:00:00+00:00https://bdash.net.nz/atom.xmlTCC and the macOS Platform Sandbox Policy2024-12-01T00:00:00+00:002024-12-01T00:00:00+00:00
Unknown
https://bdash.net.nz/posts/tcc-and-the-platform-sandbox-policy/<h1 id="background">Background</h1>
<h2 id="what-is-tcc">What is TCC?</h2>
<p>TCC is a subsystem on macOS that is responsible for managing which applications
a user has permitted to access certain resources. Its full name is
"Transparency, Consent and Control". If you've ever seen an <em>"Application" would
like to access the camera</em> prompt… that's TCC.</p>
<p>TCC is used to gate access to resources that Apple considers to be sensitive. Protected
resources include:</p>
<ul>
<li>Hardware devices such as the camera and microphone</li>
<li>Location services</li>
<li>A user's photos, contacts, calendar, or reminders</li>
<li>Files in a user's desktop, downloads or documents folders</li>
<li>Data managed by other third-party applications</li>
</ul>
<p>TCC permissions are mediated by the <code>tccd</code> process that runs as part of macOS.
System frameworks that access sensitive resources use private APIs, such as
<code>TCCAccessRequest</code> to determine whether they have permission to access the
resource. The API performs an interprocess call to <code>tccd</code>, which will trigger a
prompt if it is the first time the application has attempted to access that
class of resource. Otherwise, it will return the stored permission decision.</p>
<h2 id="what-is-the-platform-sandbox-policy">What is the Platform Sandbox Policy?</h2>
<p>For background about what sandboxing is on macOS and how it works, see
<a href="https://bdash.net.nz/posts/sandboxing-on-macos/">Sandboxing on macOS</a>.</p>
<p>The Platform Sandbox Policy is a sandbox policy that is applied to all processes
running on macOS. It is applied transparently to all processes on the system,
irrespective of whether they are explicitly sandboxed.</p>
<p>The Platform Sandbox Policy implements one part of System Integrity Protection
on macOS. It defines and enforces the restrictions on access to the file system,
Mach bootstrap names, IOKit devices, and other resources. Amongst other
things, the platform sandbox policy uses process attributes (such as signing
identity, bundle identifier, and entitlements) to allow specific applications to
bypass restrictions that System Integrity Protection would typically apply to
them. This allows applications that are part of macOS to provide system
functionality, such as app installation and software updates, that would
otherwise be prohibited by System Integrity Protection.</p>
<h1 id="with-user-approval"><code>(with user-approval …)</code></h1>
<p>One aspect of TCC that most existing analyses of it miss is that the Platform
Sandbox Policy also backstops TCC. The sandbox kernel extension supports
triggering TCC prompts when a program accesses specific resources, rather than
being limited to merely allowing or denying the access, and the platform sandbox
policy makes use of this facility</p>
<p>Specifically, <code>allow</code> actions in the platform sandbox policy can have a <code>(with user-approval "<type>")</code> modifier attached to them. This triggers an up-call
from the Sandbox kernel extension to the <code>sandboxd</code> user-space helper asking for
TCC approval of the specified type. <code>sandboxd</code> translates this into a call to
<code>tccd</code>, much like a system framework using <code>TCCAccessRequest</code> to verify
that the calling application is permitted to access a given resource.</p>
<h2 id="a-simple-example">A "simple" example</h2>
<p>Access to the computer's camera is gated behind the <code>kTCCServiceCamera</code> TCC
policy. Frameworks that provide access to the camera, such as AVFoundation,
explicitly call <code>TCCAccessRequest(kTCCServiceCamera, …)</code> to ensure that the
application is permitted to access the camera. But as the camera is a hardware
device, a sufficiently motivated application could access it directly via the
IOKit framework. To safeguard against this, the Platform Sandbox Profile has a
policy in place for <code>iokit-open-user-client</code> operations that will trigger a TCC
prompt if a camera device is accessed directly via IOKit:</p>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow iokit<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">open</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>user<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>client
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-keyword z-control z-lisp">with</span> user<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>approval <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>kTCCServiceCamera<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>all
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>process<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>attribute is<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>sandcastle<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>constrained<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>any
</span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>all
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>iokit<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>registry<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>entry<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>class <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>IOFireWireAVCUserClient<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>any
</span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-keyword z-operator z-logical z-lisp">not</span>
</span></span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>signing<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>identifier <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>com.apple.AVCAssistant<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-keyword z-operator z-logical z-lisp">not</span>
</span></span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>process<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>attribute is<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>platform<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>binary<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>all
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>iokit<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>registry<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>entry<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>class <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>IOUSBInterfaceUserClientV2<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>iokit<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>usb<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>interface<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>class kUSBVideoInterfaceClass<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>any
</span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-keyword z-operator z-logical z-lisp">not</span>
</span></span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>process<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>attribute is<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>platform<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>binary<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-keyword z-operator z-logical z-lisp">not</span>
</span></span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>signing<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>identifier <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>com.apple.VDCAssistant<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>all
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-keyword z-operator z-logical z-lisp">not</span>
</span></span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>%entitlement<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>is<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>bool<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>true <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>com.apple.camera.iokit-user-access<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>iokit<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>registry<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>entry<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>class <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>AppleCamInUserClient<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<p>This triggers a <code>kTCCServiceCamera</code> prompt for any access to
<code>IOFireWireAVCUserClient</code>, <code>IOUSBInterfaceUserClientV2</code> with class
<code>kUSBVideoInterfaceClass</code>, and <code>AppleCamInUserClient</code>. Platform binaries and
binaries with certain entitlements or identifiers are excluded from the
prompting.</p>
<h2 id="storage-classes">Storage classes</h2>
<p>One of the key attributes used within the Platform Sandbox Policy is the concept
of the <strong>storage class</strong> of a file system object. This is a way of classifying a
given file system object as containing some type of data that may need special
attention.</p>
<p>File system objects are tracked in the sandbox kernel extension as kernel
<code>vnode</code> objects. A given <code>vnode</code> is assigned to exactly one storage class at a
time, though the storage class it is assigned to can change. The sandbox kernel
extension caches the mapping from <code>vnode</code> objects to storage class to avoid
recomputing them. The cache is invalidated in response to certain events
that could cause the mapping to change.</p>
<p>Storage classes are assigned by the Platform Sandbox Policy. The special
<code>storage-class-map</code> sandbox operation is used along with the <code>(with assign-storage-class "<class>")</code> action modifier to determine which storage
class should be assigned to a given file system object. Within this portion of
the policy, the same filter operations that are applicable to file system
operations are available, along with predicates involving process or system
attributes.</p>
<p>There are around 130 storage classes defined by the Platform Sandbox Policy as
of macOS 15.1. Most of the storage classes describe data as belonging to a
specific application or framework (<code>CloudKit</code>, <code>FaceTime</code>, <code>Safari</code>, and many
others), while a handful correspond directly to TCC policies (for instance,
<code>kTCCServiceAddressBook</code>, <code>kTCCServiceSystemPolicyAppBundles</code>,
<code>kTCCServiceSsytemPolicySysAdminFiles</code>). You can see the <a href="https://gist.github.com/bdash/9a73475ed0676b3a3fed88d21628e6ab#file-storage-classes-scm">complete list of storage classes
here</a>.</p>
<h3 id="tcc-prompting-based-on-storage-classes">TCC prompting based on storage classes</h3>
<p>Much like the <code>iokit-open-user-client</code> / <code>kTCCServiceCamera</code> case presented above, file system
operations consider a combination of path, storage class, and process attributes to determine
whether an operation should result in a TCC prompt.</p>
<h3 id="a-sampling-of-storage-classes">A sampling of storage classes</h3>
<h4 id="ktccservicesystempolicynetworkvolumes"><code>kTCCServiceSystemPolicyNetworkVolumes</code></h4>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>attribute local<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>filesystem<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<h4 id="ktccservicesystempolicyappbundles"><code>kTCCServiceSystemPolicyAppBundles</code></h4>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>attribute app<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>bundle<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<h4 id="ktccservicesystempolicydownloadsfolder"><code>kTCCServiceSystemPolicyDownloadsFolder</code></h4>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>path <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/downloads<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<h4 id="ktccservicesystempolicysysadminfiles"><code>kTCCServiceSystemPolicySysAdminFiles</code></h4>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>path
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/application support/apple/remote desktop/remotemanagement.launchd<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/preferences/com.apple.security.smartcard.plist<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/preferences/directoryservice/directoryservice.plist<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/preferences/systemconfiguration/com.apple.smb.server.plist<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/auto_home<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/auto_master<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/autofs.conf<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/crontab<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/exports<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/master.passwd<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/passwd<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/sudo.conf<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/usr/lib/cron<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>prefix <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/rc.<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/directoryservices/plugins<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/perl<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/library/preferences/logging<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/pam.d<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/etc/postfix<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/var/at<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/private/var/db/com.apple.xpc.launchd<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<h4 id="safari"><code>Safari</code></h4>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>path
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/caches/com.apple.safari<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/caches/com.apple.safari.safebrowsing<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/caches/com.apple.safaridavclient<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/caches/com.apple.safaritechnologypreview<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/containers/com.apple.safari<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/containers/com.apple.safari.webapp<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/containers/com.apple.safaritechnologypreview<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/safari<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_home}/library/safaritechnologypreview<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
Sandboxing on macOS2024-11-27T00:00:00+00:002024-11-27T00:00:00+00:00
Unknown
https://bdash.net.nz/posts/sandboxing-on-macos/<h1 id="background">Background</h1>
<p>This is an overview of macOS's built-in support for application sandboxing. It
covers how sandboxing behaves from an application's perspective, how sandbox
policies are expressed, and how they're enforced by the macOS kernel. The goal
is to help developers for non-Mac platforms understand what sandboxing entails
on the Mac, and to provide macOS developers with a deeper understanding of how
sandboxing works under the hood.</p>
<p>While I discuss sandboxing here in the context of macOS, much of the
implementation and resulting behavior are shared with Apple's other platforms
(iOS, iPadOS, tvOS, etc). The most significant differences are that on those
other platforms, sandboxing is mandatory for third-party applications, and there
is no support for using custom sandbox policies in third-party applications.</p>
<h2 id="what-is-sandboxing">What is sandboxing?</h2>
<p>Sandboxing a process is a means of placing hard limits on the operations it can
perform. An application may be sandboxed for one of two reasons:</p>
<ol>
<li>
<p><strong>Security hardening</strong></p>
<p>In this context, the goal is to limit the impact of an attacker gaining code execution
within a sandboxed process. It places additional barriers between the initial
code execution and the ability for the attacker to execute other applications or
access resources such as user data on disk. This is the motiviation for sandboxing
processes like web browser rendering engines and other applications that process
complex data from from the internet.</p>
</li>
<li>
<p><strong>User privacy</strong></p>
<p>For many third-party applications, sandboxing is a demonstration that they
take user privacy seriously rather than a security mitigation. This is
particularly true of applications that use the App Sandbox policy as it
places strict limits on which parts of the filesystem an application can
access without the user explicitly granting them access via the system Open
dialog.</p>
</li>
</ol>
<p>Real-world sandbox policies block most operations by default and contain an
allow-list of permitted operations. In a perfect world, the sandbox for a
process is designed such that only the resources or operations needed during
normal execution of the process are available to it. In practice, the large
amount of code used in a typical process, both within the application itself and
provided by operating system libraries, make it difficult to tailor such a tight
sandbox. As a result most sandboxes evolve over time as the resources accessed
by an application change or the resource usage by system libraries becomes
better understood.</p>
<h1 id="sandboxing-on-macos">Sandboxing on macOS</h1>
<p>Sandboxing on macOS is implemented via the Sandbox kernel extension and controlled via the
<a href="https://manp.gs/mac/7/sandbox"><code>sandbox(7)</code></a> family of userspace APIs.</p>
<h2 id="sandboxing-from-an-application-s-perspective">Sandboxing from an application's perspective</h2>
<h3 id="types-of-application-sandbox">Types of application sandbox</h3>
<p>There are two main ways that an application can run in a sandbox:</p>
<ol>
<li>
<p>It can explicitly apply a sandbox to itself using the <code>sandbox(7)</code> family of
APIs, most of which are undocumented. These APIs provide full control over the
policy that is applied.</p>
</li>
<li>
<p>It can opt into the App Sandbox via an entitlement. The App Sandbox is a predefined
sandbox policy provided by macOS that uses process attributes, such as the presence
of specific entitlements, to determine what resources should be accessible within the
sandbox. Use of the App Sandbox is required for third-party applications distributed
via the Mac App Store.</p>
</li>
</ol>
<p>The opaque and inflexible nature of the App Sandbox means that many large, third-party
applications that are distributed outside of the Mac App Store choose to use custom sandox
policies rather than the App Sandbox.</p>
<h3 id="how-does-an-application-become-sandboxed">How does an application become sandboxed?</h3>
<p>An application using the App Sandbox entitlement will be sandboxed automatically
by initializers in <code>libSystem</code> that run very early during an application's launch.</p>
<p>An application not using the App Sandbox entitlement must explicitly apply a
sandbox policy to itself using an API such as <code>sandbox_init_with_parameters</code>.</p>
<p>It is not possible to sandbox an existing process from the outside. The process
must apply the sandbox to itself.</p>
<p>Once a process has a sandbox applied to it, it is not possible for it to disable
or remove the sandbox, nor is it possible for it to apply additional sandbox
policies. Sandboxes can be inherited when a subproces is spawned by a sandboxed
process.</p>
<h3 id="what-happens-if-the-sandbox-policy-is-violated">What happens if the sandbox policy is violated?</h3>
<p>By default, violating a sandbox policy results in the system call, or other operation that triggered
the violation, failing with <code>EPERM</code> (operation not permitted). It is up to the calling code to handle
this error gracefully.</p>
<p>The sandbox kernel extension also logs a message to the system console, and <code>sandboxd</code>
(a userspace helper) may generate a violation report that includes a backtrace of
the thread that triggered the violation. This can be used to track down what code was
responsible for the violation.</p>
<p>Sandbox policies can control this behavior via action modifiers. See <a href="https://bdash.net.nz/posts/sandboxing-on-macos/#sandbox-policy-evaluation">Sandbox policy evaluation</a>
for more detail.</p>
<h3 id="what-does-a-sandbox-policy-look-like">What does a sandbox policy look like?</h3>
<p>Sandbox policies are written in a dialect of Scheme known as SBPL. The policies
are interpreted via an interpreter within <code>libsandbox</code>, based on
<a href="https://tinyscheme.sourceforge.net/home.html">TinyScheme</a>, which generates a
compiled representation of the policy that it passes to the Sandbox kernel
extension.</p>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; All operations not explicitly allowed will be denied.
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>default deny<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; Allow reading from /tmp/foo and the directory /tmp/bar
</span></span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; and any files below it.
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">read</span><span class="z-keyword z-operator z-arithmetic z-lisp">*</span> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>path <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/tmp/foo<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/tmp/bar<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; Allow sysctl kern.hostname, but do it noisily.
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-keyword z-control z-lisp">with</span> report<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span> sysctl <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>sysctl<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>name <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>kern.hostname<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; Allow creating new files below /tmp/no-symlinks as long
</span></span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; as they aren't symlinks.
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">write</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>create<span class="z-keyword z-operator z-arithmetic z-lisp">*</span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>all
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-keyword z-operator z-logical z-lisp">not</span>
</span></span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>vnode<span class="z-keyword z-operator z-arithmetic z-lisp">-</span>type SYMLINK<span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>/tmp/no-symlinks<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<p>This simple policy shows the basics of how a sandbox policy is expressed. The
policy for individual operations is specified via an <code>allow</code> or <code>deny</code> function
call that takes the name of the operation and any predicates that must be
matched for the specified action (<code>allow</code> or <code>deny</code>) to be applied. A default
action is provided via the <code>default</code> function for cases not matched via explicit
<code>allow</code> or <code>deny</code> actions.</p>
<p>Being a Scheme dialect, the usual programming language constructs are available:
conditionals, loops, lambdas, and even macros!</p>
<p>Additionally, SBPL supports passing string values as parameters to the policy.
These parameters are available via the <code>param</code> function during policy
evaluation. This combination of features makes it possible to express a policy
that the application can configure:</p>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>define SHINY_NEW_DOWNLOADS_ENABLED <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>param <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>SHINY_NEW_DOWNLOADS_ENABLED<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-keyword z-control z-lisp">if</span> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-keyword z-operator z-comparison z-lisp">equal</span>? SHINY_NEW_DOWNLOADS_ENABLED <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>YES<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">read</span><span class="z-keyword z-operator z-arithmetic z-lisp">*</span> file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">write</span><span class="z-keyword z-operator z-arithmetic z-lisp">*</span> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_homedir}/Downloads<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<h4 id="sandbox-extensions">Sandbox extensions</h4>
<p>The evaluation-time configurability that parameters and conditional logic
provides is applicable to policy decisions that affect the lifetime of the
process. However, they are not sufficient to handle cases where the possible
resources that may be accessed are not known in advance. This requires the
ability to dynamically extend the sandbox after a policy has been applied.</p>
<p>For example, a service's sandbox policy may be configured to allow it to access
data that it owns that lives in a fixed location. Clients of the service may
need it to perform work on data that they own that lives outside of that
location. Rather than having a broad sandbox policy that makes the client's data
available, the sandbox policy can be limited to only the service's data, and be
extended dynamically to access the client's data via a <em>sandbox extension</em>.</p>
<p>Using a sandbox extension requires cooperation from both the sandbox policy, the
sandboxed process, and and the process interacting with the sandboxed process.</p>
<p>The process interacting with the sandboxed process issues an extension of a
given class (represented as a reverse-DNS style dotted string) to a given
resource that it has access to (typically a path or Mach bootstrap name). This
results in a sandbox token, represented as an opaque string.</p>
<p>The client sends this token to the sandboxed process which consumes the
extension token. The effect that the extension has on the sandboxed process is
controlled by logic within its sandbox policy. Once the work that requires the
extended sandbox is finished, the sandboxed process can release the extension.
This revokes access to the resources that the extension covered.</p>
<p>As an example of how the sandbox policy controls the effect an extension has on
it, consider the following:</p>
<pre data-lang="scm" class="language-scm z-code"><code class="language-scm" data-lang="scm"><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; Allow reading any file for which we have consumed an
</span></span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; extension of class com.apple.app-sandbox.read
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">read</span><span class="z-keyword z-operator z-arithmetic z-lisp">*</span> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>extension <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>com.apple.app-sandbox.read<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; In contrast, the com.example.sandbox.read-downloads
</span></span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; extension will only permit reading a file if the extension
</span></span><span class="z-source z-lisp"><span class="z-comment z-line z-semicolon z-lisp"><span class="z-punctuation z-definition z-comment z-lisp">;</span>; was issued for a path under ~/Downloads.
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>allow file<span class="z-keyword z-operator z-arithmetic z-lisp">-</span><span class="z-support z-function z-lisp">read</span><span class="z-keyword z-operator z-arithmetic z-lisp">*</span>
</span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span><span class="z-support z-function z-lisp">require</span><span class="z-keyword z-operator z-arithmetic z-lisp">-</span>all
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>extension <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>com.example.sandbox.read-downloads<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></span></span><span class="z-source z-lisp"><span class="z-meta z-group z-lisp"><span class="z-meta z-group z-lisp"> <span class="z-meta z-group z-lisp"><span class="z-punctuation z-definition z-group z-begin z-lisp">(</span>subpath <span class="z-string z-quoted z-double z-lisp"><span class="z-punctuation z-definition z-string z-begin z-lisp">"</span>${any_user_homedir}/Downloads<span class="z-punctuation z-definition z-string z-end z-lisp">"</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span><span class="z-punctuation z-definition z-group z-end z-lisp">)</span></span>
</span></code></pre>
<p>In the second example, the policy only permits the
<code>com.example.sandbox.read-downloads</code> sandbox extension class to be used to
extend access to a specific subdirectory.</p>
<h1 id="sandbox-apis">Sandbox APIs</h1>
<p>All of the sandbox APIs described here are private APIs. Apple considers
sandboxing at this level to be deprecated in favor of the App Sandbox. In
practice, the App Sandbox is not a usable replacement for many large
applications. Apple continues to make use of these lower-level APIs for
sandboxing its first-party applications and helper tools.</p>
<p><code>sandbox_init_with_parameters</code> takes SBPL source as a string and an array of
parameters that the policy can access. It evaluates the SBPL and compiles the
resulting state to bytecode (described below). It then asks the Sandbox kernel
extension to apply the sandbox to the current process.</p>
<p><code>sandbox_compile</code> and <code>sandbox_apply</code> split the work of compiling the policy to
bytecode and applying it to the process into two separate calls. This can avoid
the overhead of repeatedly evaluating the same SBPL source if you ever launch
more than one process with the same policy. Instead you can cache the compiled
bytecode and the process can then use the bytecode when applying its sandbox.</p>
<p><code>sandbox_extension_issue_file</code>, <code>sandbox_extension_consume</code>,
<code>sandbox_extension_release</code> are used for issuing, consuming, and releasing
extensions respectively.</p>
<h2 id="mac-in-the-macos-kernel">MAC in the macOS kernel</h2>
<p>The macOS kernel (XNU) provides a Mandatory Access Control Framework (MACF) that
exposes around <a href="https://github.com/apple-oss-distributions/xnu/blob/main/security/mac_policy.h">300 policy
hooks</a>
that can be used to approve or deny specific operations at a fine-grained level.
Most of the policy hooks correspond to specific system calls or operations on
the kernel's file system abstraction (VFS). As the name implies, these policy
hooks are mandatory and are applied to all clients that use the system calls or
perform file system operations.</p>
<p>The Sandbox kernel extension is a client of the MACF and implements many of the
policy hooks exposed by the kernel. When a system call is made that the Sandbox
kernel extension provides a policy hook for, XNU calls the corresponding policy
hook early in the handling of the system call. The policy hook is provided with
context about the operation being performed (i.e., arguments for the system call
being made). This gives the Sandbox kernel extension an opportunity to deny the
operation if its policies state that it should not be permitted.</p>
<h2 id="sandbox-kernel-extension">Sandbox kernel extension</h2>
<p>Sandbox policies can be applied to a process at two main levels<sup class="footnote-reference" id="fr-2-1"><a href="#fn-2">1</a></sup>:</p>
<ol>
<li>The platform sandbox policy is applied to all processes.</li>
<li>User-space applications can opt into being sandboxed.</li>
</ol>
<p>When a user-space application opts into being sandboxed, its sandbox policy is
passed to the Sandbox kernel extension via the <code>__mac_syscall</code> system call
(often via the <code>__sandbox_ms</code> wrapper function). The kernel routes this system
call to the appropriate MACF client based on its arguments. The Sandbox kernel
extension performs some basic validation and then associates the policy with the
kernel <code>proc</code> structure for the process using a MAC label.</p>
<p>When the kernel calls a MACF policy hook in the Sandbox kernel extension, the
policy hook is mapped to a sandbox operation type that describes the operation
being attempted. This provides a layer of indirection from the exact MACF hooks
exposed in the kernel. You can see the <a href="https://gist.github.com/bdash/ccbfb773ad57484532a74a982fe4f571#file-sandbox-operations-scm">complete list of sandbox operations
here</a>.</p>
<p>The operation is then evaluated against the platform sandbox policy. If the
system sandbox policy denies the operation, the denial is propagated back
through the MACF hook to the kernel and an error is returned via the system
call.</p>
<p>If the platform sandbox policy permits the operation, it will next be evaluated
against the process sandbox policy. The Sandbox kernel extension retrieves the
sandbox policy associated with the process performing the hooked operation. If a
sandbox policy is found, it is evaluated to determine whether the operation
should be permitted. If the process is not sandboxed, the operation is
permitted.</p>
<h3 id="sandbox-policy-evaluation">Sandbox policy evaluation</h3>
<p>The sandbox policy consists of a list of bytecode instructions, and a mapping from sandbox
operation to the initial bytecode instruction to be evaluated for that operation.
Bytecode instructions take two forms:</p>
<ol>
<li>
<p><strong>Filter instructions</strong></p>
<p>These consist of a predicate, an <em>if match</em> instruction index, and an <em>if not match</em>
instruction index. If the predicate evaluates to true, execution continues from the <em>if
match</em> instruction index. Otherwise it jumps to the <em>if not match</em> instruction index.</p>
</li>
<li>
<p><strong>Action instructions</strong></p>
<p>Actions may be either <code>allow</code> or <code>deny</code>, and they may have one or more modifiers
associated with them. When evaluation reaches an action, the modifiers are applied and
evaluation of the sandbox policy terminates with the action as the result.</p>
</li>
</ol>
<p>In the policies I have analyzed, all jumps are forward jumps. As a result the bytecode forms a
disconnected directed graph from entry points, through zero or more filters, to actions.</p>
<h4 id="filters">Filters</h4>
<p>There are around 90 different filter predicates supported as of macOS 15. You
can see the <a href="https://gist.github.com/bdash/ccbfb773ad57484532a74a982fe4f571#file-filters-scm">complete list of filter predicates
here</a>.</p>
<p>Most predicates match information about the operation being performed. For
instance, file system operations can be filtered via the <code>path</code> and <code>vnode-type</code>
filters. <code>sysctl</code> system calls can be filtered using the name of the operation via the
<code>sysctl-name</code> predicate. Mach bootstrap lookup operations can be matched via the
<code>global-name</code> or <code>local-name</code> filters.</p>
<p>The remainder of the predicates deal with attributes of the process performing
the operation, such as <code>signing-identifier</code> or <code>entitlement-is-present</code>, or the
state of the operating system system (<code>csr</code> for information about configurable
security restrictions such System Integrity Protection, or <code>system-attribute</code>
for other attributes).</p>
<p>These last two groups of predicates are mostly of use to policies that apply to
more than one application, such as the platform sandbox policy or the App
Sandbox, rather than application-specific policies.</p>
<h4 id="action-modifiers">Action modifiers</h4>
<p>Modifiers can be applied on both <code>allow</code> or <code>deny</code> actions in order to modify
<a href="https://bdash.net.nz/posts/sandboxing-on-macos/#what-happens-if-the-sandbox-policy-is-violated">the default behavior</a>. The
permitted set of modifiers differs for <code>allow</code> and <code>deny</code> actions as some
modifiers only make sense in one context. You can see the <a href="https://gist.github.com/bdash/ccbfb773ad57484532a74a982fe4f571#file-action-modifiers-scm">complete list of
action modifiers
here</a>.</p>
<p>Examples of modifiers supported on deny actions include:</p>
<ul>
<li>overriding the errno value that is returned from the denied operation: <code>(with EBADEXEC)</code></li>
<li>suppressing reporting of sandbox violations: <code>(with no-report)</code></li>
<li>sending a signal to the user-space thread that performed the system call: <code>(with send-signal SIGUSR1)</code></li>
<li>triggering Apple-internal telemetry related to the violation: <code>(with telemetry)</code></li>
</ul>
<p>Modifiers supported on allow actions include:</p>
<ul>
<li>generating a violation report: <code>(with report)</code></li>
<li>logging a message to the system console: <code>(with message "…")</code></li>
<li>triggering Apple-internal telemetry related to the operation: <code>(with telemetry)</code></li>
</ul>
<section class="footnotes">
<ol class="footnotes-list">
<li id="fn-2">
<p>I have come across references to a few other types of policies (autobox,
bastion, and delegated policies), but I have not yet investigated what role they
play. <a href="#fr-2-1">↩</a></p>
</li>
</ol>
</section>