Bug 212817

Summary:	use Sandbox/Seatbelt to confine ebuild on Mac OS X 10.5
Product:	Gentoo/Alt	Reporter:	Michael Weiser <michael>
Component:	Prefix Support	Assignee:	Gentoo Prefix <prefix>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	leho
Priority:	High	Keywords:	InVCS
Version:	unspecified
Hardware:	All
OS:	OS X
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	add Mac OS X 10.5 sandboxing to prefix-portage add sandboxing to bootstrap-prefix.sh add sandboxing to recent version of prefix-portage add sandboxing to recent version of bootstrap-prefix.sh add sandboxing to recent version of prefix-portage mac os x sandbox/seatbelt for current prefix-portage patch for current portage small ebuild for testing various protection mechanisms mac os x sandbox/seatbelt for current prefix-portage

Description Michael Weiser 2008-03-09 12:32:44 UTC

Hi,

Mac OS X 10.5 contains a MAC framework[1], one small part of which is the capability to sandbox processes. Examples for several system daemons can be found in /usr/share/sandbox. Apple marks it as experimental functionality that is subject to change and completely undocumented (save a few man pages: sandbox(7), sandbox-compilerd(8), sandbox-exec(1), sandbox_init(3), sandbox_free_error(3))

After some discussion on gentoo-alt[3] I implemented the attached integration in prefix-portage. It introduces two new features macossandbox and macosprefixsandbox. The former confines all normally sandboxed ebuild stages into PORTAGE_BUILDDIR, the latter confines all normally unconfined ebuild stages into EPREFIX, preventing trashing of the surrounding host OS. As always, there are some quirks with this[4], but largely it seems to work.

[1] Mandatory Acccess Control Framework: http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html#//apple_ref/doc/uid/TP30000976-CH203-SW1
[2] Mac Sandbox Wrapper: http://www.macpronews.com/2008/0117.html
[3] Re: prefix-portage as root: http://archives.gentoo.org/gentoo-alt/msg_3aa65b54837e859b0582f87b994e66b8.xml
[4] path length limit in seatbelt/sandbox?: http://lists.apple.com/archives/darwin-kernel/2008/Mar/msg00004.html

Reproducible: Always

Steps to Reproduce:

Comment 1 Michael Weiser 2008-03-09 12:34:29 UTC

Created attachment 145637 [details, diff]
add Mac OS X 10.5 sandboxing to prefix-portage

Comment 2 Fabian Groffen gentoo-dev

2008-03-20 20:36:36 UTC

question (I lost it) does this also work as non-root?

Comment 3 Michael Weiser 2008-03-20 22:16:40 UTC

Hi Fabian,

the sandboxing mechanism works nicely as non-root and I've used sandbox-enabled portage as non-root before bootstrapping a system-wide prefix portage which runs as root.

The patch also contains a feature macosusersandbox analogous to the usersandbox feature for cases where a system-wide portage is told to run with normal user privileges. This is untested though.

As of now I've compiled and installed quite a comprehensive prefix installation including aqua'd gtk, gimp and wireshark. I haven't had any problems.

Those slight differencies in configure tests still persist and remain unexplained. They don't stop things from working nicely, though.
-- 
Micha

Comment 4 Michael Weiser 2008-03-20 22:25:54 UTC

Created attachment 146708 [details, diff]
add sandboxing to bootstrap-prefix.sh

Almost forgotten: I've also added sandboxing to the bootstrap-prefix.sh script.
-- 
Cheers,
Micha

Comment 5 Fabian Groffen gentoo-dev

2008-03-22 14:09:21 UTC

put this in the correct category

Comment 6 Elias Pipping 2008-09-28 17:55:12 UTC

I think this should wait until it's documented as an official feature (probably 10.6)

Comment 7 Michael Weiser 2008-09-28 19:00:25 UTC

(In reply to comment #6)
> I think this should wait until it's documented as an official
> feature (probably 10.6)

By now the MAC framework and sandboxing feature are well advertised by Apple. They're just not very well documented, the few bits of documentation claiming a private interface subject to change at any time (header of .sb files in /usr/share/sandbox). This said and knowing Apple, it seems unlikely this will change very much with a future release. They'll change the interface and we'll need to adjust the portage feature for it but they probably won't improve the documentation situation.

If you're worried about users unknowingly causing problems for themselves and reporting non-issues caused by a preliminary feature, you're probably right. On the other hand, it obviously won't get tested either.

I've made it disabled by default, so two distinct features have to be put into the FEATURE variable explicitly to enable sandboxing on different levels. I've used it for quite some time now and have not had any problems.

I still have a bug open with apple about configure test behaving differently when run inside a sandbox. They haven't gotten back to me, but it hasn't caused any problems for me either. Obviously it's low-priority to them, as it's not a user-visible feature.
-- 
Micha

Comment 8 Fabian Groffen gentoo-dev

2009-10-25 09:38:58 UTC

I should add your portage patch, long overdue...  I hope it still applies

Comment 9 Michael Weiser 2009-10-25 12:49:17 UTC

(In reply to comment #8)
> I should add your portage patch, long overdue...  I hope it still applies

Never fear! ;) I have current versions and will attach them here right away. The portage patch broke several times, but mostly due to additions in const.py.
-- 
Thanks for getting back to me!
Micha

Comment 10 Michael Weiser 2009-10-25 12:50:03 UTC

Created attachment 208202 [details, diff]
add sandboxing to recent version of prefix-portage

Comment 11 Michael Weiser 2009-10-25 12:50:34 UTC

Created attachment 208203 [details, diff]
add sandboxing to recent version of bootstrap-prefix.sh

Comment 12 Fabian Groffen gentoo-dev

2009-10-28 19:15:35 UTC

Created attachment 208569 [details, diff]
add sandboxing to recent version of prefix-portage

here's a fixed version of your portage patch for the latest sources

Comment 13 Michael Weiser 2010-03-30 20:20:51 UTC

Created attachment 225873 [details, diff]
mac os x sandbox/seatbelt for current prefix-portage

a new version of the patch for extensively reworked current portage

Comment 14 Michael Weiser 2010-07-14 07:04:51 UTC

Created attachment 238679 [details, diff]
patch for current portage

a new patch for the current version of portage in prefix

Comment 15 Michael Weiser 2010-07-14 07:13:56 UTC

Created attachment 238687 [details]
small ebuild for testing various protection mechanisms

a small ebuild for testing the various layers of protection against direct or indirect filesystem access

Comment 16 Michael Weiser 2010-09-24 09:08:51 UTC

Created attachment 248497 [details, diff]
mac os x sandbox/seatbelt for current prefix-portage

(yet another ;) updated sandbox/seatbelt patch for current prefix-portage (16616)

Comment 17 Fabian Groffen gentoo-dev

2010-09-28 18:09:37 UTC

I decided to commit your patch, should be available in the very next version of portage that hits the tree.  Thanks!

Comment 18 Fabian Groffen gentoo-dev

2010-09-28 18:54:48 UTC

http://portage.prefix.freens.org/prefix/rev/e8f903fc9918

Comment 19 Fabian Groffen gentoo-dev

2010-09-28 19:26:30 UTC

committed as 2.2.01.16692