Page 1 of 2

Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 1:47 pm
by copumpkin
I would like to restrict a running child process of mine from running certain operations, dynamically, after it forks off. Is that possible using the existing sandboxing mechanism? I vaguely remember some sort of extensions mechanism (which might be this use case or I might just be misremembering) in the early sandboxing code but can't find the sandbox_create_extensions function I remember from back then anymore in libsandbox.dylib.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 3:24 pm
by scknight
Is this what you were thinking of?

https://developer.apple.com/legacy/libr ... nit.3.html

It's listed as deprecated, I can't remember if you can still voluntarily call it or not, but it sounds like what you're describing.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 3:30 pm
by copumpkin
That's the general mechanism I'm talking about, and yes the sandbox_init API is basically gone. We can still use it with the `sandbox-exec` command-line tool and a few other ways, in addition to the sbtool thing from this site.

But anyway, the underlying APIs and language have never really been officially documented so you wouldn't find anything about sandbox_create_extensions anywhere official. Just wondering if anyone had uncovered much about changing a running sandbox during other reversing efforts.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 3:38 pm
by scknight

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 3:42 pm
by copumpkin
I think that's sort of the moral successor to sandbox_init, but doesn't allow me to apply it to an existing process from the outside, as far as I can tell.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 3:51 pm
by morpheus
Use spawn attrs prior to posix_spawn. IIRC, _posix_spawnattr_setmacpolicyinfo.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 4:07 pm
by copumpkin
Ah, so modifying the attrs after you posix_spawn will affect the running child? Interesting! I'll poke at posix_spawnattr_setmacpolicyinfo_np (I assume that's what you're talking about), thanks!

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 5:15 pm
by morpheus
no no no. That's before spawning. After it's spawned, it's spawned. Too late. Further, if a sandbox has been applied, you won't be able to unsandbox. And yeah, you can also use my sandbox_exec example as was suggested. apply_container works similarly, both are PRIOR to the exec/spawn

sandbox_init() is doable (it's a mac_syscall (#381)) but if process won't do it, you can instead opt to inject (using my injector, for example) and do it from in that target process.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 5:39 pm
by copumpkin
Well in my case the process already has a sandbox, and I want to amend it to use another (more stringent) sandbox. It sounds like that's not possible? The use case is my other thread, at viewtopic.php?f=7&t=17135, but I phrased this one more generally because I'm curious if it can be done even independently of that.

Re: Changing a running (child) process's sandbox

PostPosted: Thu Oct 12, 2017 6:02 pm
by copumpkin
The thing I was remembering was the various *-issue-extension permissions in the sandboxing language, and I remember an old API in libsandbox for dealing with extensions. I wonder if they just retired the feature, or if I'm confused about what it did.