Sandbox/Mac/Debugging

From MozillaWiki
< Sandbox‎ | Mac
Revision as of 18:30, 11 August 2016 by Haftandilian (talk | contribs) (Grammar)
Jump to navigation Jump to search


Using the (trace <filename>) Option

~ $ cat test.sb 
(version 1)
(debug all)
(trace "trace.sb")
(deny default)

~ $ sandbox-exec -f ./test.sb ls /tmp
com.apple.launchd.TxO9Zrlk0Y	textmate-501.sock
com.apple.launchd.Wx9IMgekbf	wifi-Uy2Oqp.log

~ $ cat trace.sb
(version 1) ; Thu Aug 11 10:46:24 2016
(allow process-exec* (path "/bin/ls"))
(allow process-exec* (path "/bin/ls"))
(allow file-read-metadata (path "/usr/lib/libutil.dylib"))
(allow file-read-metadata (path "/usr/lib/libncurses.5.4.dylib"))
(allow file-read-metadata (path "/usr/lib/libSystem.B.dylib"))
(allow file-read-metadata (path "/usr/lib/libc++.1.dylib"))
(allow file-read-metadata (path "/usr/lib/libc++abi.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libcache.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libcommonCrypto.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libcompiler_rt.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libcopyfile.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libcorecrypto.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libdispatch.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libdyld.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libkeymgr.dylib"))
(allow file-read-metadata (path "/usr/lib/system/liblaunch.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libmacho.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libquarantine.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libremovefile.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_asl.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_blocks.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_c.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_configuration.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_coreservices.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_coretls.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_dnssd.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_info.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_kernel.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_m.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_malloc.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_network.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_networkextension.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_notify.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_platform.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_pthread.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_sandbox.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_secinit.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libsystem_trace.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libunc.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libunwind.dylib"))
(allow file-read-metadata (path "/usr/lib/system/libxpc.dylib"))
(allow file-read-metadata (path "/usr/lib/libobjc.A.dylib"))
(allow file-read-metadata (path "/usr/lib/libauto.dylib"))
(allow file-read-metadata (path "/usr/lib/libDiagnosticMessagesClient.dylib"))
(allow file-read-data (path "/dev/dtracehelper"))
(allow file-write-data (path "/dev/dtracehelper"))
(allow file-ioctl (path "/dev/dtracehelper"))
(allow sysctl-read (sysctl-name "kern.usrstack64"))
(allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_COLLATE"))
(allow file-read-data (path "/usr/share/locale/la_LN.US-ASCII/LC_COLLATE"))
(allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_CTYPE"))
(allow file-read-data (path "/usr/share/locale/UTF-8/LC_CTYPE"))
(allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_MONETARY"))
(allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_MONETARY"))
(allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_NUMERIC"))
(allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_NUMERIC"))
(allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_TIME"))
(allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_TIME"))
(allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/LC_MESSAGES"))
(allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/LC_MESSAGES"))
(allow file-read-metadata (path "/tmp"))
(allow file-read-metadata (path "/private/tmp"))
(allow file-read-data (path "/Users/haftandilian"))
(allow file-read-metadata (path "/tmp"))
(allow file-read-data (path "/private/tmp"))
(allow sysctl-read (sysctl-name "hw.pagesize_compat"))
~ $

Using opensnoop(1m) to Observe Content Process File I/O

You can use opensnoop(1m) to see what files the content process is opening. For this listing, I had opensnoop running when Nightly was started so some of these opens likely happened before the content process turned on the sandbox. Passing the -t option to opensnoop will get it to print the stack trace of the user program. 

~ $ sudo opensnoop -xve -n plugin-container 2>/dev/null
...
2016 Aug 11 11:25:32   501   2745 plugin-container  -1   2 /Users/haftandilian/Library/Autosave Information/org.mozilla.plugincontainer.plist 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AppleScript.component/Contents/Resources/Base.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AudioCodecs.component/Contents/Resources/Base.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AudioDSP.component/Contents/Resources/en.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AudioDSP.component/Contents/Resources/Base.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources/English.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources/Base.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/CoreAudio.component/Contents/Resources/Base.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/JavaScript.component/Contents/Resources/Base.lproj 
2016 Aug 11 11:25:47   501   2743 plugin-container  -1   2 /System/Library/Components/JavaScript.component/Contents/Resources/English.lproj 
...
Retrieved from "https://wiki.mozilla.org/index.php?title=Sandbox/Mac/Debugging&oldid=1143634"