├── bin ├── Skype └── firefox-bin ├── README.rst ├── firefox.sb └── skype.sb /bin/Skype: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | /usr/bin/sandbox-exec \ 4 | -f /Users/Shared/macos-sandbox-profiles/skype.sb \ 5 | /Applications/Skype.app/Contents/MacOS/Skype.real 6 | -------------------------------------------------------------------------------- /bin/firefox-bin: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | /usr/bin/sandbox-exec \ 4 | -f /Users/Shared/macos-sandbox-profiles/firefox.sb \ 5 | /Applications/Firefox.app/Contents/MacOS/firefox-bin.real 6 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | Mac OS Sandbox Profiles 2 | ======================= 3 | 4 | To prevent application security issues to compromise your system, it is possible 5 | to run them inside a ``sandbox`` in OSX. I started writing some sandbox files. 6 | 7 | E.g. http://www.purehacking.com/blogs/gordon-maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking 8 | 9 | Problem 10 | ------- 11 | 12 | To let any application run inside the sandbox, there has to 13 | 14 | - exist a sandbox file, that grants enough permissions 15 | 16 | - be modified to original application package, to "bridge" the applications binary 17 | to a sandboxed version. 18 | 19 | The first point is pretty easy to build, the second point is a bit insecure as an 20 | application could overwrite our "bridged starter" via update. If there is a good 21 | idea in someones' mind, let me know. 22 | 23 | Links 24 | ----- 25 | 26 | - http://apple.stackexchange.com/questions/124799/how-to-sandbox-individual-applications-on-os-x-mavericks 27 | 28 | Howto Do 29 | -------- 30 | 31 | Checkout the repo to ``/Users/Shared/macos-sandbox-profiles`` 32 | 33 | Do the following actions to protect Skype and Firefox (which is currently provided 34 | here). Further applications will be supported the same way. 35 | 36 | :: 37 | 38 | cd /Applications/Firefox.app/Contents/MacOS/ 39 | sudo mv firefox-bin firefox-bin.real 40 | sudo ln -sf /Users/Shared/macos-sandbox-profiles/bin/firefox-bin . 41 | 42 | cd /Applications/Skype.app/Contents/MacOS/ 43 | sudo mv Skype Skype.real 44 | sudo ln -sf /Users/Shared/macos-sandbox-profiles/bin/Skype . 45 | 46 | Issues 47 | ------ 48 | 49 | - Currently its not possible to allow firefox to start e.g. ``Preview.app`` to display 50 | pdf files out of the browser. There has to be made a download in before, which is 51 | not as convenient as it could be. Please tell me how to do it, if you know. 52 | -------------------------------------------------------------------------------- /firefox.sb: -------------------------------------------------------------------------------- 1 | (version 1) 2 | 3 | (deny default) 4 | 5 | (allow signal (target self)) 6 | 7 | (allow file* 8 | (literal "/dev/dtracehelper") 9 | (literal "/dev/urandom") 10 | (literal "/dev/null") 11 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Application Support/Firefox") 12 | (subpath "/tmp") 13 | (subpath "/private/tmp") 14 | ) 15 | 16 | (allow file-read* 17 | (literal "/Library/Application Support/Macromedia/FlashPlayerTrust") 18 | (subpath "/usr") 19 | (subpath "/System/Library/Frameworks") 20 | (regex #"^/Users/[a-zA-Z0-9_]+") 21 | (subpath "/Library/Preferences") 22 | (subpath "/Applications/Firefox.app") 23 | (subpath "/var") 24 | (subpath "/private/var") 25 | (subpath "/private/etc") 26 | (subpath "/Library/Application Support/Mozilla") 27 | (subpath "/Library/ColorSync/Profiles/Displays") 28 | (subpath "/Library/PreferencePanes") 29 | (subpath "/Applications/Preview.app") 30 | (subpath "/Applications/MacVim.app") 31 | (subpath "/Applications/Amazon MP3 Downloader.app") 32 | ) 33 | 34 | (allow file-read-data 35 | (literal "/") 36 | (literal "/Library") 37 | (literal "/Library/Audio/Plug-Ins/HAL") 38 | (literal "/Library/Application Support/Macromedia/FlashAuthor.cfg") 39 | (literal "/dev/fd") 40 | (literal "/Applications") 41 | (literal "/Applications/Preview.app") 42 | (literal "/Applications/Preview.app/Contents/MacOS/Preview/..namedfork/rsrc") 43 | (literal "/dev/random") 44 | (subpath "/System/Library/CoreServices") 45 | (subpath "/System/Library") 46 | (subpath "/Library/Fonts") 47 | (subpath "/Library/Internet Plug-Ins") 48 | (subpath "/Library/InputManagers") 49 | (subpath "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin") 50 | (subpath "/Applications/Safari.app") 51 | (subpath "/Library/Application Support/Macromedia/FlashPlayerTrust") 52 | (subpath "/Library/QuickTime/EyeTV MPEG Support.component") 53 | (subpath "/Library/Dictionaries") 54 | ) 55 | 56 | (allow file-read-metadata 57 | (literal "/") 58 | (subpath "/etc") 59 | (subpath "/Applications") 60 | (subpath "/System") 61 | (subpath "/Library") 62 | (subpath "/Users") 63 | ) 64 | 65 | (allow process-fork) 66 | (allow ipc-posix-sem) 67 | (allow ipc-sysv-shm) 68 | (allow ipc-posix-shm) 69 | (allow mach-lookup) 70 | (allow network-outbound) 71 | (allow network-inbound (local ip)) 72 | (allow sysctl-read) 73 | (allow sysctl-write) 74 | (allow system-socket) 75 | (allow process-exec 76 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin.real") 77 | (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container") 78 | ) 79 | 80 | (allow file-write* 81 | (literal "/Applications/Firefox.app/Contents/MacOS/update.test") 82 | (subpath "/Library/Caches") 83 | (subpath "/private/var/folders") 84 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Firefox") 85 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Preferences") 86 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/TemporaryItems") 87 | (regex #"^/Users/[a-zA-Z0-9_]+/Downloads") 88 | ) 89 | 90 | (allow job-creation 91 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin.real") 92 | (subpath "/Applications/Preview.app") 93 | (subpath "/Applications/MacVim.app") 94 | (subpath "/Applications/Amazon MP3 Downloader.app") 95 | ) 96 | 97 | (allow file-write-data 98 | (subpath "/var/log") 99 | (subpath "/private/var/folders") 100 | ) 101 | 102 | ; all|deny 103 | (debug all) 104 | 105 | 106 | -------------------------------------------------------------------------------- /skype.sb: -------------------------------------------------------------------------------- 1 | (version 1) 2 | 3 | (deny default) 4 | 5 | (allow signal (target self)) 6 | 7 | (allow file* 8 | (literal "/dev/dtracehelper") 9 | (literal "/dev/urandom") 10 | (literal "/dev/null") 11 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Application Support/Skype") 12 | (subpath "/tmp") 13 | (subpath "/private/tmp") 14 | (regex #"^/Library/Address Book Plug-Ins/Skype[a-zA-Z]+.bundle.*") 15 | ) 16 | 17 | (allow file-read* 18 | (subpath "/usr") 19 | (subpath "/System/Library/Frameworks") 20 | (regex #"^/Users/[a-zA-Z0-9_]+") 21 | (subpath "/Library/Preferences") 22 | (subpath "/Applications/Skype.app") 23 | (subpath "/var") 24 | (subpath "/private/var") 25 | (subpath "/private/etc") 26 | (subpath "/Library/Application Support/Mozilla") 27 | (subpath "/Library/ColorSync/Profiles/Displays") 28 | (subpath "/Library/PreferencePanes") 29 | (subpath "/Applications/Preview.app") 30 | (subpath "/Applications/MacVim.app") 31 | ) 32 | 33 | (allow file-read-data 34 | (literal "/") 35 | (literal "/dev/random") 36 | (literal "/Library") 37 | (literal "/Library/Audio/Plug-Ins/HAL") 38 | (literal "/dev/fd") 39 | (literal "/Applications") 40 | (literal "/Applications/Preview.app") 41 | (literal "/Applications/Preview.app/Contents/MacOS/Preview/..namedfork/rsrc") 42 | (subpath "/System/Library/CoreServices") 43 | (subpath "/System/Library") 44 | (subpath "/Library/Spelling") 45 | (subpath "/Library/Fonts") 46 | (subpath "/Library/Internet Plug-Ins") 47 | (subpath "/Library/InputManagers") 48 | (subpath "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin") 49 | (regex "^/Library/QuickTime/Google Camera Adapter [0-9]+.component") 50 | (subpath "/Library/QuickTime/EyeTV MPEG Support.component") 51 | (subpath "/Applications/iTunes.app") 52 | ) 53 | 54 | (allow file-read-metadata 55 | (literal "/") 56 | (literal "/Network") 57 | (subpath "/etc") 58 | (subpath "/Applications") 59 | (subpath "/System") 60 | (subpath "/Library") 61 | (subpath "/Users") 62 | ) 63 | 64 | (allow process-fork) 65 | (allow ipc-posix-sem) 66 | (allow ipc-sysv-shm) 67 | (allow ipc-posix-shm) 68 | (allow mach-lookup) 69 | (allow network-outbound) 70 | (allow network-inbound (local ip)) 71 | (allow sysctl-read) 72 | (allow sysctl-write) 73 | (allow system-socket) 74 | (allow process-exec 75 | (literal "/Applications/Skype.app/Contents/MacOS/Skype.real") 76 | (literal "/Applications/Skype.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container") 77 | ) 78 | 79 | (allow file-write* 80 | (subpath "/Library/Caches") 81 | (subpath "/private/var/folders") 82 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Skype") 83 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/com.skype.skype/.*") 84 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Preferences") 85 | (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/TemporaryItems") 86 | (regex #"^/Users/[a-zA-Z0-9_]+/Downloads") 87 | (literal "/Users/abalke/Library/Keychains/,login.keychain") 88 | (subpath "/Users/abalke/Library/Cookies") 89 | ) 90 | 91 | (allow job-creation 92 | (literal "/Applications/Skype.app/Contents/MacOS/Skype.real") 93 | (subpath "/System/Library/CoreServices/Software Update.app") 94 | (subpath "/Applications/Preview.app") 95 | (subpath "/Applications/MacVim.app") 96 | ) 97 | 98 | (allow file-write-data 99 | (subpath "/var/log") 100 | (subpath "/private/var/folders") 101 | (subpath "/private/var/db/DetachedSignatures") 102 | (literal "/Library/Preferences/com.apple.mediaio.DeviceSettings.plist") 103 | ) 104 | 105 | ; all|deny 106 | (debug all) 107 | 108 | 109 | --------------------------------------------------------------------------------