In chapter 2 of their book The Mac Hacker’s Handbook (is there only one Mac hacker?), Charlie Miller and Dino Dai Zovi note that an attacker playing with a sandboxed process could break out of the sandbox via launchd. The reasoning goes that the attacker just uses the target process to submit a launchd job. Launchd, which is not subject to sandbox restrictions, then loads the job, executing the attacker’s payload in an environment where it will have more capabilities.
This led me to wonder whether I could construct a sandbox profile that would stop a client process from submitting launchd jobs. I have done that, but not in a very satisfying way or even necessarily a particularly complete one. My profile does this:
(version 1) (deny default) (debug deny) (allow process-exec) (allow file-fsctl) (allow file-ioctl) ; you can probably restrict access to even more files - don't forget to let dyld link Cocoa though! (allow file-read* file-write*) (deny file-read* (regex "^/System/Library/Frameworks/ServiceManagement.framework")) (deny file-read* (literal "/bin/launchctl" "/bin/launchd")) (allow signal (target self)) (allow ipc-posix-shm) (allow sysctl*) ; this lot was empirically discovered - Cocoa apps needs these servers (allow mach-lookup (global-name "com.apple.system.notification_center" "com.apple.system.DirectoryService.libinfo_v1" "com.apple.system.DirectoryService.membership_v1" "com.apple.distributed_notifications.2" "com.apple.system.logger" "com.apple.SecurityServer" "com.apple.CoreServices.coreservicesd" "com.apple.FontServer" "com.apple.dock.server" "com.apple.windowserver.session" "com.apple.pasteboard.1" "com.apple.pbs.fetch_services" "com.apple.tsm.uiserver"))
So processes run in the above sandbox profile are not allowed to use the launchd or launchctl processes, nor can they link the ServiceManagement framework that allows Cocoa apps to discover and submit jobs directly.
Unfortunately I wasn’t able to fully meet my goal: a process can still do the same IPC that launchctl et al use directly. I found that if I restricted IPC access to launchd, apps would crash when trying to check-in with the daemon. Of course the IPC protocol is completely documented so it might be possible to do finer-grained restrictions, but I’m not optimistic.
Of course, standard disclaimers apply: the sandbox Scheme environment is supposed to be off-limits to us smelly non-Apple types.