Sandboxing your scripts in OSX

Sandboxing is a system level feature that allows to limit the capabilities of an application due to security reasons or simply because we are developing the application or the script. Sandboxing is also the starting point for application-level virtualization because the next step of system call interception is system call detour.

OSX provides application level sandboxing since a long-time and it is worth looking at it while developing a new bash script, or simply when we want to perform a command line that involves sensitive data. Let's say we want to perform rsync of our family pictures and we really want be sure that we will not mistakenly impact our files.

The objective is to protect the execution of an executable or script file allowing it to write only on a given path. The idea is to make a shell script as follows:

writethere.sh TARGETPATH CMD ARGS*

The sandbox-exec utility of OSX executes another program using the provided sandboxing configuration file. The configuration file uses a Lisp style functional syntax and it can also receive parameters assigned with the "-D" option.

Let's look first at the writethere.sh:

#/bin/bash
target=$1
shift 1
sandbox-exec -f writethere.sb -Dtarget=$target $*

Simply it extracts the first argument as target and passes it to the configuration file "writethere.sb". The configuration file is simple:

(version 1)
(deny default)
(allow file-read*)
(allow process-exec)
(allow sysctl-read)
(allow signal)
(allow file-write* (regex (string-append "^" (regex-quote (param "target")) ".*")))

The allowed operations are relative to processes, signals and file read. The last line limits writing to the path specified by a regular expression that has the target parameter as prefix.

It is also possible to extract the trace of a program running for understanding its requirements. First make a simple configuration file:

(version 1)
(trace "/tmp/traceout.sb")

And then run it with -exec and -simplify

sandbox-exec -f trace.sb binary_to_be_sandboxed
sandbox-simplify /tmp/traceout.sb > ./tracesimple.sb

For more fancy uses of Sandboxes just look at the documentation and to the /usr/share/sandbox that contains many configurations used internally by OSX.

Updated: gist of the script and sb file
Updated: examples by others


Comments

Popular Posts