Changing a running (child) process's sandbox

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Changing a running (child) process's sandbox

Postby copumpkin » Thu Oct 12, 2017 1:47 pm

I would like to restrict a running child process of mine from running certain operations, dynamically, after it forks off. Is that possible using the existing sandboxing mechanism? I vaguely remember some sort of extensions mechanism (which might be this use case or I might just be misremembering) in the early sandboxing code but can't find the sandbox_create_extensions function I remember from back then anymore in libsandbox.dylib.
copumpkin
 
Posts: 12
Joined: Tue Oct 10, 2017 12:43 am

Re: Changing a running (child) process's sandbox

Postby scknight » Thu Oct 12, 2017 3:24 pm

Is this what you were thinking of?

https://developer.apple.com/legacy/libr ... nit.3.html

It's listed as deprecated, I can't remember if you can still voluntarily call it or not, but it sounds like what you're describing.
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: Changing a running (child) process's sandbox

Postby copumpkin » Thu Oct 12, 2017 3:30 pm

That's the general mechanism I'm talking about, and yes the sandbox_init API is basically gone. We can still use it with the `sandbox-exec` command-line tool and a few other ways, in addition to the sbtool thing from this site.

But anyway, the underlying APIs and language have never really been officially documented so you wouldn't find anything about sandbox_create_extensions anywhere official. Just wondering if anyone had uncovered much about changing a running sandbox during other reversing efforts.
copumpkin
 
Posts: 12
Joined: Tue Oct 10, 2017 12:43 am

Re: Changing a running (child) process's sandbox

Postby scknight » Thu Oct 12, 2017 3:38 pm

scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: Changing a running (child) process's sandbox

Postby copumpkin » Thu Oct 12, 2017 3:42 pm

I think that's sort of the moral successor to sandbox_init, but doesn't allow me to apply it to an existing process from the outside, as far as I can tell.
copumpkin
 
Posts: 12
Joined: Tue Oct 10, 2017 12:43 am

Re: Changing a running (child) process's sandbox

Postby morpheus » Thu Oct 12, 2017 3:51 pm

Use spawn attrs prior to posix_spawn. IIRC, _posix_spawnattr_setmacpolicyinfo.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Changing a running (child) process's sandbox

Postby copumpkin » Thu Oct 12, 2017 4:07 pm

Ah, so modifying the attrs after you posix_spawn will affect the running child? Interesting! I'll poke at posix_spawnattr_setmacpolicyinfo_np (I assume that's what you're talking about), thanks!
copumpkin
 
Posts: 12
Joined: Tue Oct 10, 2017 12:43 am

Re: Changing a running (child) process's sandbox

Postby morpheus » Thu Oct 12, 2017 5:15 pm

no no no. That's before spawning. After it's spawned, it's spawned. Too late. Further, if a sandbox has been applied, you won't be able to unsandbox. And yeah, you can also use my sandbox_exec example as was suggested. apply_container works similarly, both are PRIOR to the exec/spawn

sandbox_init() is doable (it's a mac_syscall (#381)) but if process won't do it, you can instead opt to inject (using my injector, for example) and do it from in that target process.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Changing a running (child) process's sandbox

Postby copumpkin » Thu Oct 12, 2017 5:39 pm

Well in my case the process already has a sandbox, and I want to amend it to use another (more stringent) sandbox. It sounds like that's not possible? The use case is my other thread, at viewtopic.php?f=7&t=17135, but I phrased this one more generally because I'm curious if it can be done even independently of that.
copumpkin
 
Posts: 12
Joined: Tue Oct 10, 2017 12:43 am

Re: Changing a running (child) process's sandbox

Postby copumpkin » Thu Oct 12, 2017 6:02 pm

The thing I was remembering was the various *-issue-extension permissions in the sandboxing language, and I remember an old API in libsandbox for dealing with extensions. I wonder if they just retired the feature, or if I'm confused about what it did.
copumpkin
 
Posts: 12
Joined: Tue Oct 10, 2017 12:43 am

Next

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest