(Created page with 'Seatbelt, also known as '''[http://en.wikipedia.org/wiki/Sandbox_(computer_security) sandbox]''', is a kernel extension that restricts a set of features from being used for s…') |
No edit summary |
||
Line 32: | Line 32: | ||
* "[[MobileMaps]]" | * "[[MobileMaps]]" | ||
* "container" (Having the same restriction as AppStore apps.) | * "container" (Having the same restriction as AppStore apps.) | ||
=== Definition of profiles === | |||
==== container ==== | |||
This profile is from 2.x, which may have been outdated. | |||
<source lang="scheme"> | |||
(version 1) | |||
(deny default) | |||
; Sandbox violations get logged to syslog via kernel logging. | |||
(debug deny) | |||
(allow sysctl-read) | |||
; Mount / umount commands | |||
(deny file-write-mount file-write-umount) | |||
; System is read only | |||
(allow file-read*) | |||
(deny file-write*) | |||
; NOTE: Later rules override earlier rules. | |||
; Private areas | |||
(deny file-write* | |||
(regex "^/private/var/mobile/Applications/.*$")) | |||
(deny file-read* | |||
(regex "^/private/var/mobile/Applications/.*$")) | |||
; SQLite uses /private/var/tmp | |||
; TBR: <rdar://problem/5805879> SQLite doesn't honor the TMPDIR environment variable | |||
(allow file-write* | |||
(regex "^/private/var/tmp(/|$)")) | |||
(allow file-read* | |||
(regex "^/private/var/tmp(/|$)")) | |||
; TBR: <rdar://problem/5806524> | |||
(allow process-exec | |||
(regex "^/private/var/tmp$")) | |||
; TBR: <rdar://problem/5830139> | |||
(allow file-write* | |||
(regex "^/private/var/tmp/UpdatedSnapshots/$")) | |||
; Permit reading and writing in the App container | |||
(allow file-read* | |||
(regex "^/private/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(/|$)")) | |||
(allow file-write* | |||
(regex "^/private/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/(tmp|Library|Documents)(/|$)")) | |||
(allow process-exec | |||
(regex #"^/private/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.*\.app(/|$)")) | |||
; Allow Address book access via filesystem | |||
; This is an SQLite3 database - there is room to make the rules tighter | |||
(allow file-write* | |||
(regex "^/private/var/mobile/Library/AddressBook(/|$)")) | |||
(allow file-read* | |||
(regex "^/private/var/mobile/Library/AddressBook(/|$)")) | |||
; Allow keyboard db access via filesystem | |||
; This is a custom file format. There is room to make the rules tighter | |||
(allow file-write* | |||
(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) | |||
(allow file-read* | |||
(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) | |||
; Pictures, but not other media | |||
; Allow photo access via filesystem. There is room to make the rules tighter | |||
(deny file-write* | |||
(regex "^/private/var/mobile/Media(/|$)")) | |||
(deny file-read* | |||
(regex "^/private/var/mobile/Media/")) | |||
(allow file-write* | |||
(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$")) | |||
(allow file-read* | |||
(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$")) | |||
(allow file-write* | |||
(regex "^/private/var/mobile/Media/DCIM(/|$)")) | |||
(allow file-read* | |||
(regex "^/private/var/mobile/Media/DCIM(/|$)")) | |||
(allow file-read* | |||
(regex "^/private/var/mobile/Media/Photos(/|$)")) | |||
; Mach lookups. There is room to make the rule tighter. | |||
(allow mach-lookup) | |||
;; (global-name "PurpleSystemEventPort") | |||
;; (global-name "com.apple.CARenderServer") | |||
;; (global-name "com.apple.eventpump") | |||
;; (global-name "com.apple.springboard.migserver") | |||
;; (global-name "com.apple.system.notification_center")) | |||
(deny process-fork) | |||
; For ASL logs - /var/run/asl_input (XXX: socket can now be named) | |||
; (allow network-outbound) | |||
; (to unix-socket "/private/var/run/asl_input")) | |||
(allow network*) | |||
; To allow crash reporter / exceptions to kill the process | |||
(allow signal (target self)) | |||
</source> | |||
== Creating your own sandbox definition == | == Creating your own sandbox definition == | ||
Line 37: | Line 145: | ||
* /usr/share/sandbox/*.sb | * /usr/share/sandbox/*.sb | ||
* /private/var/mobile/Applications/*.sb | * /private/var/mobile/Applications/*.sb | ||
shall be compiled and sandboxed by this definition. (You can also provide a complete path.) However, | shall be compiled and sandboxed by this definition. (You can also provide a complete path.) However, due to the lack of <tt>sandboxd<tt> the .sb files cannot be compiled, so assume this feature isn't there yet. | ||
== Oasis in the sandbox around /var/mobile == | == Oasis in the sandbox around /var/mobile == |
Revision as of 17:14, 10 October 2009
Seatbelt, also known as sandbox, is a kernel extension that restricts a set of features from being used for some processes.
Applying sandbox to your app
It is a good idea to apply a sandbox to restrict what your app can do, esp. for setuid apps, in case a vulnerability is found (well maybe not needed for iPhoneOS...). The documented way of applying a sandbox is
#include <sandbox.h>
char* errbuf;
int errcode = sandbox_init("profile", SANDBOX_NAMED, &errbuf);
...
sandbox_free_error(errbuf);
Once a sandbox is applied, you cannot jump out from the sandbox anymore.
There are 5 documented profiles
- kSBXProfileNoWriteExceptTemporary (= "write-tmp-only")
- kSBXProfileNoInternet (= "nointernet")
- kSBXProfileNoNetwork (= "nonet")
- kSBXProfileNoWrite (= "nowrite")
- kSBXProfilePureComputation (= "pure-computation")
and 9 undocumented profiles:
- "sandbox-compilerd"
- "mDNSResponder"
- "apsd"
- "AppleDiags"
- "PasteBoard"
- "MobileSafari"
- "MobileMail"
- "MobileMaps"
- "container" (Having the same restriction as AppStore apps.)
Definition of profiles
container
This profile is from 2.x, which may have been outdated.
(version 1)
(deny default)
; Sandbox violations get logged to syslog via kernel logging.
(debug deny)
(allow sysctl-read)
; Mount / umount commands
(deny file-write-mount file-write-umount)
; System is read only
(allow file-read*)
(deny file-write*)
; NOTE: Later rules override earlier rules.
; Private areas
(deny file-write*
(regex "^/private/var/mobile/Applications/.*$"))
(deny file-read*
(regex "^/private/var/mobile/Applications/.*$"))
; SQLite uses /private/var/tmp
; TBR: <rdar://problem/5805879> SQLite doesn't honor the TMPDIR environment variable
(allow file-write*
(regex "^/private/var/tmp(/|$)"))
(allow file-read*
(regex "^/private/var/tmp(/|$)"))
; TBR: <rdar://problem/5806524>
(allow process-exec
(regex "^/private/var/tmp$"))
; TBR: <rdar://problem/5830139>
(allow file-write*
(regex "^/private/var/tmp/UpdatedSnapshots/$"))
; Permit reading and writing in the App container
(allow file-read*
(regex "^/private/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(/|$)"))
(allow file-write*
(regex "^/private/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/(tmp|Library|Documents)(/|$)"))
(allow process-exec
(regex #"^/private/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.*\.app(/|$)"))
; Allow Address book access via filesystem
; This is an SQLite3 database - there is room to make the rules tighter
(allow file-write*
(regex "^/private/var/mobile/Library/AddressBook(/|$)"))
(allow file-read*
(regex "^/private/var/mobile/Library/AddressBook(/|$)"))
; Allow keyboard db access via filesystem
; This is a custom file format. There is room to make the rules tighter
(allow file-write*
(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)"))
(allow file-read*
(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)"))
; Pictures, but not other media
; Allow photo access via filesystem. There is room to make the rules tighter
(deny file-write*
(regex "^/private/var/mobile/Media(/|$)"))
(deny file-read*
(regex "^/private/var/mobile/Media/"))
(allow file-write*
(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$"))
(allow file-read*
(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$"))
(allow file-write*
(regex "^/private/var/mobile/Media/DCIM(/|$)"))
(allow file-read*
(regex "^/private/var/mobile/Media/DCIM(/|$)"))
(allow file-read*
(regex "^/private/var/mobile/Media/Photos(/|$)"))
; Mach lookups. There is room to make the rule tighter.
(allow mach-lookup)
;; (global-name "PurpleSystemEventPort")
;; (global-name "com.apple.CARenderServer")
;; (global-name "com.apple.eventpump")
;; (global-name "com.apple.springboard.migserver")
;; (global-name "com.apple.system.notification_center"))
(deny process-fork)
; For ASL logs - /var/run/asl_input (XXX: socket can now be named)
; (allow network-outbound)
; (to unix-socket "/private/var/run/asl_input"))
(allow network*)
; To allow crash reporter / exceptions to kill the process
(allow signal (target self))
Creating your own sandbox definition
A sandbox definition should be a Scheme file with extension .sb. If a non-built-in profile is given, a .sb placed in one of:
- /usr/share/sandbox/*.sb
- /private/var/mobile/Applications/*.sb
shall be compiled and sandboxed by this definition. (You can also provide a complete path.) However, due to the lack of sandboxd the .sb files cannot be compiled, so assume this feature isn't there yet.
Oasis in the sandbox around /var/mobile
While sandbox is a nice security feature, it is sometimes too restrictive for a MobileSubstrate extension. Since the sandbox is implemented as a kernel feature it's impossible to workaround it. For example, an MS extension targeting AppStore app can only write in /var/mobile, but most of the /var/mobile itself is unreadable due to sandboxing. But there are a few places that the sandbox cannot apply, so AppStore apps may store data in these places. They are:
- Anything in the container itself (of course).
- ~/* except the Media and Library subfolders, which only the following directories are readable:
- ~/Media/DCIM/*
- ~/Media/Photos/*
- ~/Library/AddressBook/*
- ~/Library/Keyboard/*
- ~/Library/Preferences/*
An AppStore app itself can also read/write to these folders, even without jailbreaking (in principle), but they must be accessed via a symlink. Doing so allows easy cross-app data sharing, but that may violate the AppStore rules.
Kernel debug messages regarding the sandbox
You can turn on kernel debug messages from the Seatbelt.kext with this command:
sysctl -w security.mac.seatbelt.debug=<integer>
where the integer is a bit-field, with purposes:
- 1 = Memory management (reference counting) messages. Very verbose, do not turn it on.
- 2 = Function hook messages.
- 4, 8, 16, 32, 64, 128 = ???
Set to 0 to turn off everything.