hoakley June 24, 2023 Macs, Technology

Explainer: the app sandbox

For a computer to be really secure, it shouldn’t run any untrusted code. In macOS that would mean no third-party apps, which would severely limit the appeal of a Mac. One way round this is to run untrusted code in a tightly restricted environment, denying it the ability to access storage, memory or other resources outside those dedicated to it by its sandbox, managed by macOS.

Even that’s too restrictive for the great majority of apps, though. You expect an image editor to be able to open and save images in folders you control, like ~/Documents, or those in your Pictures folder or Photos Library. So, having put an app into its sandbox, the next thing you need to do is provide it ways out of those restrictions. In Apple’s operating systems, those are granted according to entitlements burned into the app’s signature.

Considering our hypothetical sandboxed image editor, those entitlements are likely to include com.apple.security.files.user-selected.read-write, giving the app read and write access to files the user has selected in a standard macOS Open or Save dialog.

There is some overlap here with privacy protection, as controlled by TCC. The standard user folder for images is ~/Pictures, so to gain read and write access to that the app needs an entitlement for com.apple.security.assets.pictures.read-write as well. Then there’s the need to gain direct access to any built-in or external camera to capture movies and still images, requiring com.apple.security.device.camera, another entitlement that overlaps with those for privacy protection.

What started off as an app running entirely within the app sandbox is gradually being allowed to do more, and its sandbox is becoming less effective as the app gains access to more outside resources.

Apple requires that all apps distributed through its App Store run in their app sandbox, something marked in the app by another entitlement com.apple.security.app-sandbox, and explained here.

The Finder and other bundled utilities in macOS don’t reveal the entitlements claimed by sandboxed apps, indeed they don’t even tell you whether an app runs in a sandbox in the first place. For that you’ll need a third-party tool such as Mothers Ruin’s Apparency, or my own free Taccy. Some sandboxed apps have such long lists of entitlements that they seem allowed to do almost anything, and you might wonder how effective that sandbox would be at preventing malicious behaviour from affecting your Mac.

Entitlements aren’t necessarily an indicator that an app is sandboxed, either: com.apple.security.app-sandbox is the tell-tale sign. Apple also uses entitlements to grant access to certain restricted features in macOS, like snapshots. Look at the entitlements of apps like Carbon Copy Cloner that have access to snapshots and you’ll see com.apple.developer.vfs.snapshot there for that purpose, even though that app isn’t sandboxed.

Because entitlements, including that to sandbox the app, are burned into an app’s signature, the only way to remove any of them is to strip the app’s signature altogether, and remove the whole lot. These days, you’ll then have to re-sign the app using an ad hoc signature, and you’re pretty well guaranteed that your doctored app won’t run at all. So there’s no practical way out of sandboxing and entitlements for those apps that require them.

Because App Store apps have to be sandboxed, but notarized apps supplied outside the App Store don’t, it might be tempting to see them as alternatives, or complementary to one another, but they’re very different. Some apps like BBEdit are both sandboxed and notarized, but that’s usually even harder than it sounds, and quite an accomplishment when it works well. But the restrictions of the sandbox make it impossible for many apps to do their jobs, so there will always be a need for those that don’t run in a sandbox.

9Comments

Add yours

1

Steve Harris on June 24, 2023 at 10:47 am

Activity Monitor can tell you whether a running app is sandboxed if you show the “Sandbox” column, although that’s all it can tell you.

Related, but maybe out of scope for your guide, Mac apps can bundle XPC services (https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html) with different privileges to the app itself — for example, to make network requests, but with read-only access to files.

These can also be used to make sandboxed apps distributed outside the Mac App Store viable by bundling non-sandboxed XPC services to provide things like Sparkle app updates (where updating the app would be impossible in a sandboxed app) or a crash reporter (the sandboxed app itself would have no way of automatically accessing the crash report files).

LikeLiked by 1 person
- 2
  
  hoakley on June 24, 2023 at 7:26 pm
  
  Thank you: I hadn’t realised that was buried in Activity Monitor. What a strange place to put it.
  Helper apps are now extremely common, and Apple actively encourages them for may other reasons. They have always been standard for running processes at increased levels of privilege. Yes, they require separate checks for sandboxing and entitlements. macOS never ceases to become more complex and confusing. Sparkle updaters have always been dependent on a helper, of course.
  Howard.
  
  LikeLike
  - 3
    
    Max on July 22, 2023 at 5:16 am
    
    Technically, it makes sense that it is shown in Activity Monitor. The sandbox is initialized by the linker (dyld), which processes the entitlements. Hence, it is only known at runtime, whether an app is actually sandboxed. There are some ways of creating apps with the app-sandbox entitlement, but still being unsandboxed at runtime, see https://ubrigens.com/posts/sandbox_initialisation_bypasses.html for some details.
    
    The same blog also offers a good introduction to the technical details of the App Sandbox mechanism: https://ubrigens.com/posts/sandbox_tour.html.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on July 22, 2023 at 9:35 am
      
      Thank you.
      I think you’re missing the point. Many of us want to know whether any given app is sandboxed, notarized, or whatever. Apple assures us that these are really important for our security, but then makes it difficult to find out that info. Have you used Apparency, for example? Sure, the odd (really odd) malicious app might mislead it with a sandbox escape. But that’s not why we’re looking. We’re not security researchers.
      Howard.
      
      LikeLike
    - 5
      
      Max on July 22, 2023 at 9:53 am
      
      Yes, you are absolutely right! From the user’s perspective it is not at all apparent. My initial thought on this was to add some lock icon to the title bar of a sandboxed app window, but research has shown that security indicators are not really useful and the approach will fail with customized UIs or full-screen apps.
      
      I forgot to mention that apps can be sandboxed without using the App Sandbox, i. e., enabling the sandbox manually and not use the entitlement. This is the case for Chrome and Firefox. However, this is not documented and not accepted in the App Store. The other way round, which I described in my earlier comment, can definitely be considered a security issue.
      
      Hence, from the implementation point of view, it makes perfect sense to show it alongside other information about a running process. From the user’s perspective, it is not clear at all without the additional apps you mentioned or even created yourself.
      
      Note that the topic is a bit more complicated, e. g., an app can use the App Sandbox, but contain rules that loosen the restrictions (to some degree). This would be checked for App Store apps. Furthermore, XPC services can have different entitlements. For App Store apps, XPC services need to be sandboxed as well, but the App Sandbox entitlement is not enabled by default in Xcode for them, and hence, apps distributed outside of the App Store might have unrestricted access through the XPC service, even though the app is sandboxed itself.
      
      LikeLiked by 1 person
6

G.J. Parker on June 24, 2023 at 3:42 pm

If the entitlement is controlled by TCC, one can access/modify/delete/add permissions via command line using sqlite3. It’s not for the faint of heart, though: https://entonos.com/2023/06/23/how-to-modify-tcc-on-macos/

LikeLiked by 1 person
- 7
  
  hoakley on June 24, 2023 at 7:28 pm
  
  Thank you. There is another snag with trying that: if that database gets reset, as it will most probably when upgrading macOS, or when trying to fix privacy problems, then any such changes get blown away.
  Howard.
  
  LikeLike
  - 8
    
    G.J. Parker on June 25, 2023 at 6:16 pm
    
    Thank you. While I certainly agree none of this is documented by Apple therefore subject to change significantly at anytime, if you parse tccd with strings you find sqlite commands in that executable concerning kTCCServiceEndpointSecurityClient and kTCCServiceSystemPolicyAllFiles.
    
    Not clear to me how Apple would blow away the database without breaking a bunch of things in System Settings…>Privacy & Security. Perhaps they have a way to reconstruct from scratch, but it seems to me that would be quite difficult. But, again, since it is all undocumented, I won’t strongly disagree.
    
    Two useful side effects are knowing how some applications can change these databases if you give them an administration password- MalwareBytes and App Cleaner & Uninstaller for two. And one can inspect the databases directly. Was a bit surprise by all the stuff in there.
    
    LikeLiked by 1 person
    - 9
      
      hoakley on June 25, 2023 at 6:35 pm
      
      Thank you.
      Try the tccutil reset command, which is often advocated as a means of addressing persistent privacy problems. The database is also sometimes updated with macOS upgrades, although some settings from the existing database should then be migrated. Some users find that migration is far from complete.
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Related