Sandbox/Mac/Debugging
Jump to navigation
Jump to search
Using the (trace <filename>) Option
~ $ cat test.sb (version 1) (debug all) (trace "trace.sb") (deny default) ~ $ sandbox-exec -f ./test.sb ls /tmp com.apple.launchd.TxO9Zrlk0Y textmate-501.sock com.apple.launchd.Wx9IMgekbf wifi-Uy2Oqp.log ~ $ cat trace.sb (version 1) ; Thu Aug 11 10:46:24 2016 (allow process-exec* (path "/bin/ls")) (allow process-exec* (path "/bin/ls")) (allow file-read-metadata (path "/usr/lib/libutil.dylib")) (allow file-read-metadata (path "/usr/lib/libncurses.5.4.dylib")) (allow file-read-metadata (path "/usr/lib/libSystem.B.dylib")) (allow file-read-metadata (path "/usr/lib/libc++.1.dylib")) (allow file-read-metadata (path "/usr/lib/libc++abi.dylib")) (allow file-read-metadata (path "/usr/lib/system/libcache.dylib")) (allow file-read-metadata (path "/usr/lib/system/libcommonCrypto.dylib")) (allow file-read-metadata (path "/usr/lib/system/libcompiler_rt.dylib")) (allow file-read-metadata (path "/usr/lib/system/libcopyfile.dylib")) (allow file-read-metadata (path "/usr/lib/system/libcorecrypto.dylib")) (allow file-read-metadata (path "/usr/lib/system/libdispatch.dylib")) (allow file-read-metadata (path "/usr/lib/system/libdyld.dylib")) (allow file-read-metadata (path "/usr/lib/system/libkeymgr.dylib")) (allow file-read-metadata (path "/usr/lib/system/liblaunch.dylib")) (allow file-read-metadata (path "/usr/lib/system/libmacho.dylib")) (allow file-read-metadata (path "/usr/lib/system/libquarantine.dylib")) (allow file-read-metadata (path "/usr/lib/system/libremovefile.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_asl.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_blocks.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_c.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_configuration.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_coreservices.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_coretls.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_dnssd.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_info.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_kernel.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_m.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_malloc.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_network.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_networkextension.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_notify.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_platform.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_pthread.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_sandbox.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_secinit.dylib")) (allow file-read-metadata (path "/usr/lib/system/libsystem_trace.dylib")) (allow file-read-metadata (path "/usr/lib/system/libunc.dylib")) (allow file-read-metadata (path "/usr/lib/system/libunwind.dylib")) (allow file-read-metadata (path "/usr/lib/system/libxpc.dylib")) (allow file-read-metadata (path "/usr/lib/libobjc.A.dylib")) (allow file-read-metadata (path "/usr/lib/libauto.dylib")) (allow file-read-metadata (path "/usr/lib/libDiagnosticMessagesClient.dylib")) (allow file-read-data (path "/dev/dtracehelper")) (allow file-write-data (path "/dev/dtracehelper")) (allow file-ioctl (path "/dev/dtracehelper")) (allow sysctl-read (sysctl-name "kern.usrstack64")) (allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_COLLATE")) (allow file-read-data (path "/usr/share/locale/la_LN.US-ASCII/LC_COLLATE")) (allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_CTYPE")) (allow file-read-data (path "/usr/share/locale/UTF-8/LC_CTYPE")) (allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_MONETARY")) (allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_MONETARY")) (allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_NUMERIC")) (allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_NUMERIC")) (allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_TIME")) (allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_TIME")) (allow file-read-metadata (path "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/LC_MESSAGES")) (allow file-read-data (path "/usr/share/locale/en_US.ISO8859-1/LC_MESSAGES/LC_MESSAGES")) (allow file-read-metadata (path "/tmp")) (allow file-read-metadata (path "/private/tmp")) (allow file-read-data (path "/Users/haftandilian")) (allow file-read-metadata (path "/tmp")) (allow file-read-data (path "/private/tmp")) (allow sysctl-read (sysctl-name "hw.pagesize_compat")) ~ $
Using opensnoop(1m) to Observe Content Process File I/O
You can use opensnoop(1m) to see what files the content process is opening. For this listing, I had opensnoop running when Nightly was started so some of these opens likely happened before the content process turned on the sandbox. Passing the -t option to opensnoop will get it to print the stack trace of the user program.
~ $ sudo opensnoop -xve -n plugin-container 2>/dev/null ... 2016 Aug 11 11:25:32 501 2745 plugin-container -1 2 /Users/haftandilian/Library/Autosave Information/org.mozilla.plugincontainer.plist 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AppleScript.component/Contents/Resources/Base.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AudioCodecs.component/Contents/Resources/Base.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AudioDSP.component/Contents/Resources/en.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AudioDSP.component/Contents/Resources/Base.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources/English.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/AUSpeechSynthesis.component/Contents/Resources/Base.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/CoreAudio.component/Contents/Resources/Base.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/JavaScript.component/Contents/Resources/Base.lproj 2016 Aug 11 11:25:47 501 2743 plugin-container -1 2 /System/Library/Components/JavaScript.component/Contents/Resources/English.lproj ...
Use launchctl(1) To Learn About com.apple.* Daemons
You can use the launchctl(1) command to learn a bit about daemons and their associated mach services which may appear in the sandbox rules. For example, below we see com.apple.pasteboard.1 is a Mach service from com.apple.pboard.
$ launchctl list
PID Status Label
- 0 com.apple.CoreAuthentication.daemon
32729 0 com.apple.quicklook
- 0 com.apple.parentalcontrols.check
295 0 com.apple.Finder
- 0 com.apple.PackageKit.InstallStatus
- 0 com.apple.FontWorker
319 0 com.apple.bird
- 0 com.apple.familycontrols.useragent
- 0 com.apple.aos.migrate
- 0 com.apple.universalaccessAuthWarn
328 0 com.apple.nsurlsessiond
- 0 com.apple.syncservices.uihandler
341 0 com.apple.iconservices.iconservicesagent
- 0 com.apple.ManagedClientAgent.agent
- 0 com.apple.screensharing.agent
- 0 com.apple.TMHelperAgent.SetupOffer
- 0 com.apple.AddressBook.SourceSync
- 0 com.apple.familynotificationd
384 0 com.apple.photolibraryd
- 0 com.apple.cfnetwork.cfnetworkagent
- 0 com.apple.xpc.otherbsd
...
$ launchctl list com.apple.pboard
{
"EnableTransactions" = true;
"LimitLoadToSessionType" = "Aqua";
"MachServices" = {
"com.apple.pasteboard.1" = mach-port-object;
};
"Label" = "com.apple.pboard";
"TimeOut" = 30;
"OnDemand" = true;
"LastExitStatus" = 0;
"PID" = 299;
"Program" = "/usr/sbin/pboard";
"ProgramArguments" = (
"/usr/sbin/pboard";
);
};