Security/Sandbox/macOS Release

From MozillaWiki
Jump to: navigation, search

macOS Sandbox Updates

When Apple issues a new macOS release, it often includes new pieces of sandbox functionality. These can take the form of new top-level operations to allow/deny or new filters which are applied to other top-level operations, allowing rules to be more narrowly targeted.

Because the macOS sandboxing APIs we use aren't public, Apple does not document new (or existing) sandbox rules, so if we want to find the new stuff, we need to do it ourselves! (Despite the fact that these APIs aren't public, we're not overly concerned with their removal or substantial breakage, due to the fact that all browsers use them: us, Chrome, and Safari.) The rest of this document covers the process I've been undergoing on each new macOS release to hunt for useful new sandboxing functionality.


libsandbox.dylib provides the userspace portion of the macOS sandboxing API. This component is responsible for compiling the scheme-derived sandboxing DSL into a bytecode consumed by the kernel. As a result, it knows about all of the different rule types used in sandbox profiles.

Before upgrading macOS, extract all of the relevant strings from libsandbox.dylib:

$ strings /usr/lib/libsandbox.dylib | sort > sandbox-old.txt

After you've upgraded, extract the string from the new file:

$ strings /usr/lib/libsandbox.dylib | sort > sandbox-new.txt

Now diff them:

$ diff -u sandbox-{old,new}.txt

There'll be a lot of extraneous, uninteresting, changes. For example, changes to version numbers, release dates, or internal snippets of scheme. The primary thing you are looking for is new strings which seem like they might be the names of operations that the sandbox can now control. A common theme is to find new variants of existing rule sets, for example a new file-{operation} rule.


This directory contains sandbox policies for system services. These provide useful examples to find how rules are used in practice. Changes between macOS releases can show us what it looks like when Apple takes advantage of new sandboxing rules they've introduced.

Again, before upgrading, make a backup of /System/Library/Sandbox/Profiles/:

$ mkdir sandbox-old $ cp /System/Library/Sandbox/Profiles/*.sb sandbox-old/

Now, after upgrading, compare the new policies with the old ones:

$ diff -u -r sandbox-old/ /System/Library/Sandbox/Profiles/

Again, you're looking for the introduction of new rules into the existing policies.