Hi, Mac OS X 10.5 contains a MAC framework[1], one small part of which is the capability to sandbox processes. Examples for several system daemons can be found in /usr/share/sandbox. Apple marks it as experimental functionality that is subject to change and completely undocumented (save a few man pages: sandbox(7), sandbox-compilerd(8), sandbox-exec(1), sandbox_init(3), sandbox_free_error(3)) After some discussion on gentoo-alt[3] I implemented the attached integration in prefix-portage. It introduces two new features macossandbox and macosprefixsandbox. The former confines all normally sandboxed ebuild stages into PORTAGE_BUILDDIR, the latter confines all normally unconfined ebuild stages into EPREFIX, preventing trashing of the surrounding host OS. As always, there are some quirks with this[4], but largely it seems to work. [1] Mandatory Acccess Control Framework: http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html#//apple_ref/doc/uid/TP30000976-CH203-SW1 [2] Mac Sandbox Wrapper: http://www.macpronews.com/2008/0117.html [3] Re: prefix-portage as root: http://archives.gentoo.org/gentoo-alt/msg_3aa65b54837e859b0582f87b994e66b8.xml [4] path length limit in seatbelt/sandbox?: http://lists.apple.com/archives/darwin-kernel/2008/Mar/msg00004.html Reproducible: Always Steps to Reproduce:
Created attachment 145637 [details, diff] add Mac OS X 10.5 sandboxing to prefix-portage
question (I lost it) does this also work as non-root?
Hi Fabian, the sandboxing mechanism works nicely as non-root and I've used sandbox-enabled portage as non-root before bootstrapping a system-wide prefix portage which runs as root. The patch also contains a feature macosusersandbox analogous to the usersandbox feature for cases where a system-wide portage is told to run with normal user privileges. This is untested though. As of now I've compiled and installed quite a comprehensive prefix installation including aqua'd gtk, gimp and wireshark. I haven't had any problems. Those slight differencies in configure tests still persist and remain unexplained. They don't stop things from working nicely, though. -- Micha
Created attachment 146708 [details, diff] add sandboxing to bootstrap-prefix.sh Almost forgotten: I've also added sandboxing to the bootstrap-prefix.sh script. -- Cheers, Micha
put this in the correct category
I think this should wait until it's documented as an official feature (probably 10.6)
(In reply to comment #6) > I think this should wait until it's documented as an official > feature (probably 10.6) By now the MAC framework and sandboxing feature are well advertised by Apple. They're just not very well documented, the few bits of documentation claiming a private interface subject to change at any time (header of .sb files in /usr/share/sandbox). This said and knowing Apple, it seems unlikely this will change very much with a future release. They'll change the interface and we'll need to adjust the portage feature for it but they probably won't improve the documentation situation. If you're worried about users unknowingly causing problems for themselves and reporting non-issues caused by a preliminary feature, you're probably right. On the other hand, it obviously won't get tested either. I've made it disabled by default, so two distinct features have to be put into the FEATURE variable explicitly to enable sandboxing on different levels. I've used it for quite some time now and have not had any problems. I still have a bug open with apple about configure test behaving differently when run inside a sandbox. They haven't gotten back to me, but it hasn't caused any problems for me either. Obviously it's low-priority to them, as it's not a user-visible feature. -- Micha
I should add your portage patch, long overdue... I hope it still applies
(In reply to comment #8) > I should add your portage patch, long overdue... I hope it still applies Never fear! ;) I have current versions and will attach them here right away. The portage patch broke several times, but mostly due to additions in const.py. -- Thanks for getting back to me! Micha
Created attachment 208202 [details, diff] add sandboxing to recent version of prefix-portage
Created attachment 208203 [details, diff] add sandboxing to recent version of bootstrap-prefix.sh
Created attachment 208569 [details, diff] add sandboxing to recent version of prefix-portage here's a fixed version of your portage patch for the latest sources
Created attachment 225873 [details, diff] mac os x sandbox/seatbelt for current prefix-portage a new version of the patch for extensively reworked current portage
Created attachment 238679 [details, diff] patch for current portage a new patch for the current version of portage in prefix
Created attachment 238687 [details] small ebuild for testing various protection mechanisms a small ebuild for testing the various layers of protection against direct or indirect filesystem access
Created attachment 248497 [details, diff] mac os x sandbox/seatbelt for current prefix-portage (yet another ;) updated sandbox/seatbelt patch for current prefix-portage (16616)
I decided to commit your patch, should be available in the very next version of portage that hits the tree. Thanks!
http://portage.prefix.freens.org/prefix/rev/e8f903fc9918
committed as 2.2.01.16692
