Apple Sandbox Guide v1.0

Here it is a version I consider good enoughย  to come out of draft status. I have added more information – one thing I was especially interested was to match the available operations in the SBPL syntax with the system/kernel functions that they control. This helps to better understand what is the impact of each operation. Appendix B features the lazy IDC script I used to extract this information from the sandbox kernel module (then I had to match with xnu kernel sources).
I tried to provide examples for all operations and make notes of some problems/features where available. Also added a few more references about this subject. The book “Enterprise Mac Security: Mac OS X Snow Leopard” has a pretty good chapter dedicated to this.

I hope it’s useful for you. I have been using it as reference while developing some custom profiles.

Enjoy,
fG!

Apple Sandbox Guide v1.0.pdf
SHA256(Apple Sandbox Guide v1.0.pdf)= c6ae8502a48f09a6309a9485e9bf7794389e969fd9ab65c46d805307a9a1cb8e

vienna.sb.gz
SHA256(vienna.sb)= 0831910e4d2a92253e5b64e92ec0f27e1408b926253eca9eee3f9918036077c0

9 thoughts on “Apple Sandbox Guide v1.0

  1. Hey fG!

    You should have a look at the Application Sandboxing Guide if you want to sandbox GUI applications. That could come in handy.

  2. Very interesting guide, but it does not explain everything that is in /System/Library/PrivateFrameworks/WebKit2.framework/WebProcess.app/Contents/Resources/com.apple.WebProcess.sb (MacOSX 10.6.8).

    For example, (param “string”) is replaced by what is defined by the -D switch on command-line.
    (define) can be used to define variables
    (if) can do conditional rules, examples are (if (positive? (string-length (param “string”))) and the mysterious (if (defined? ‘extension-class)

    1. Hello,

      You are correct! I was more interested in describing the sandbox-related commands than documenting the whole tiny-Scheme language features (one of the chapters describes two or three of those commands/definitions).
      Maybe I will do it in a new update, if I have some time & patience to learn Scheme ๐Ÿ˜‰

      Thanks for the tip ๐Ÿ™‚

      1. Do you intend to update the guide with some Mountain Lion novelties, e.g. user-preference-write (preference-domain “…”)?

        1. Hello,
          Are there any significant changes or new features that are worth to take the update effort?
          I’ve been busy with some other projects so free time is scarce :-/

          fG!

  3. I don’t know. I was hoping that you could tell.
    I saw things like (vnode-type DIRECTORY) that should be useful when writing one own profile.
    There are many things around entitlements too.

    There is also some syntax already existing in Lion and that is not in your guide, e.g. (allow qtn-sandbox) or (allow file-issue-extension) or (allow authorization-right-obtain)

    There are still many mysteries in this “Apple System Private Interface”…

Leave a Reply

Your email address will not be published. Required fields are marked *