Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 212817

Summary: use Sandbox/Seatbelt to confine ebuild on Mac OS X 10.5
Product: Gentoo/Alt Reporter: Michael Weiser <michael>
Component: Prefix SupportAssignee: Gentoo Prefix <prefix>
Status: RESOLVED FIXED    
Severity: enhancement CC: leho
Priority: High Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: OS X   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: add Mac OS X 10.5 sandboxing to prefix-portage
add sandboxing to bootstrap-prefix.sh
add sandboxing to recent version of prefix-portage
add sandboxing to recent version of bootstrap-prefix.sh
add sandboxing to recent version of prefix-portage
mac os x sandbox/seatbelt for current prefix-portage
patch for current portage
small ebuild for testing various protection mechanisms
mac os x sandbox/seatbelt for current prefix-portage

Description Michael Weiser 2008-03-09 12:32:44 UTC
Hi,

Mac OS X 10.5 contains a MAC framework[1], one small part of which is the capability to sandbox processes. Examples for several system daemons can be found in /usr/share/sandbox. Apple marks it as experimental functionality that is subject to change and completely undocumented (save a few man pages: sandbox(7), sandbox-compilerd(8), sandbox-exec(1), sandbox_init(3), sandbox_free_error(3))

After some discussion on gentoo-alt[3] I implemented the attached integration in prefix-portage. It introduces two new features macossandbox and macosprefixsandbox. The former confines all normally sandboxed ebuild stages into PORTAGE_BUILDDIR, the latter confines all normally unconfined ebuild stages into EPREFIX, preventing trashing of the surrounding host OS. As always, there are some quirks with this[4], but largely it seems to work.

[1] Mandatory Acccess Control Framework: http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html#//apple_ref/doc/uid/TP30000976-CH203-SW1
[2] Mac Sandbox Wrapper: http://www.macpronews.com/2008/0117.html
[3] Re: prefix-portage as root: http://archives.gentoo.org/gentoo-alt/msg_3aa65b54837e859b0582f87b994e66b8.xml
[4] path length limit in seatbelt/sandbox?: http://lists.apple.com/archives/darwin-kernel/2008/Mar/msg00004.html

Reproducible: Always

Steps to Reproduce:
Comment 1 Michael Weiser 2008-03-09 12:34:29 UTC
Created attachment 145637 [details, diff]
add Mac OS X 10.5 sandboxing to prefix-portage
Comment 2 Fabian Groffen gentoo-dev 2008-03-20 20:36:36 UTC
question (I lost it) does this also work as non-root?
Comment 3 Michael Weiser 2008-03-20 22:16:40 UTC
Hi Fabian,

the sandboxing mechanism works nicely as non-root and I've used sandbox-enabled portage as non-root before bootstrapping a system-wide prefix portage which runs as root.

The patch also contains a feature macosusersandbox analogous to the usersandbox feature for cases where a system-wide portage is told to run with normal user privileges. This is untested though.

As of now I've compiled and installed quite a comprehensive prefix installation including aqua'd gtk, gimp and wireshark. I haven't had any problems.

Those slight differencies in configure tests still persist and remain unexplained. They don't stop things from working nicely, though.
-- 
Micha
Comment 4 Michael Weiser 2008-03-20 22:25:54 UTC
Created attachment 146708 [details, diff]
add sandboxing to bootstrap-prefix.sh

Almost forgotten: I've also added sandboxing to the bootstrap-prefix.sh script.
-- 
Cheers,
Micha
Comment 5 Fabian Groffen gentoo-dev 2008-03-22 14:09:21 UTC
put this in the correct category
Comment 6 Elias Pipping 2008-09-28 17:55:12 UTC
I think this should wait until it's documented as an official feature (probably 10.6)
Comment 7 Michael Weiser 2008-09-28 19:00:25 UTC
(In reply to comment #6)
> I think this should wait until it's documented as an official
> feature (probably 10.6)

By now the MAC framework and sandboxing feature are well advertised by Apple. They're just not very well documented, the few bits of documentation claiming a private interface subject to change at any time (header of .sb files in /usr/share/sandbox). This said and knowing Apple, it seems unlikely this will change very much with a future release. They'll change the interface and we'll need to adjust the portage feature for it but they probably won't improve the documentation situation.

If you're worried about users unknowingly causing problems for themselves and reporting non-issues caused by a preliminary feature, you're probably right. On the other hand, it obviously won't get tested either.

I've made it disabled by default, so two distinct features have to be put into the FEATURE variable explicitly to enable sandboxing on different levels. I've used it for quite some time now and have not had any problems.

I still have a bug open with apple about configure test behaving differently when run inside a sandbox. They haven't gotten back to me, but it hasn't caused any problems for me either. Obviously it's low-priority to them, as it's not a user-visible feature.
-- 
Micha
Comment 8 Fabian Groffen gentoo-dev 2009-10-25 09:38:58 UTC
I should add your portage patch, long overdue...  I hope it still applies
Comment 9 Michael Weiser 2009-10-25 12:49:17 UTC
(In reply to comment #8)
> I should add your portage patch, long overdue...  I hope it still applies

Never fear! ;) I have current versions and will attach them here right away. The portage patch broke several times, but mostly due to additions in const.py.
-- 
Thanks for getting back to me!
Micha
Comment 10 Michael Weiser 2009-10-25 12:50:03 UTC
Created attachment 208202 [details, diff]
add sandboxing to recent version of prefix-portage
Comment 11 Michael Weiser 2009-10-25 12:50:34 UTC
Created attachment 208203 [details, diff]
add sandboxing to recent version of bootstrap-prefix.sh
Comment 12 Fabian Groffen gentoo-dev 2009-10-28 19:15:35 UTC
Created attachment 208569 [details, diff]
add sandboxing to recent version of prefix-portage

here's a fixed version of your portage patch for the latest sources
Comment 13 Michael Weiser 2010-03-30 20:20:51 UTC
Created attachment 225873 [details, diff]
mac os x sandbox/seatbelt for current prefix-portage

a new version of the patch for extensively reworked current portage
Comment 14 Michael Weiser 2010-07-14 07:04:51 UTC
Created attachment 238679 [details, diff]
patch for current portage

a new patch for the current version of portage in prefix
Comment 15 Michael Weiser 2010-07-14 07:13:56 UTC
Created attachment 238687 [details]
small ebuild for testing various protection mechanisms

a small ebuild for testing the various layers of protection against direct or indirect filesystem access
Comment 16 Michael Weiser 2010-09-24 09:08:51 UTC
Created attachment 248497 [details, diff]
mac os x sandbox/seatbelt for current prefix-portage

(yet another ;) updated sandbox/seatbelt patch for current prefix-portage (16616)
Comment 17 Fabian Groffen gentoo-dev 2010-09-28 18:09:37 UTC
I decided to commit your patch, should be available in the very next version of portage that hits the tree.  Thanks!
Comment 19 Fabian Groffen gentoo-dev 2010-09-28 19:26:30 UTC
committed as 2.2.01.16692