macOS: How to run your Applications in a Mac OS X sandbox to enhance security


In this article we’ll see how to configure and execute your software applications in an Apple Mac OS X sandbox. This kind of feature helps a lot to protect your Mac OS X security by executing an arbitrary application in a complete isolated environment.

Introduction

From Apple documentation:

The sandbox facility allows applications to voluntarily restrict their access to operating system resources. This safety mechanism is intended to limit potential damage in the event that a vulnerability is exploited. It is not a replacement for other operating system access controls.

New processes inherit the sandbox of their parent.

This means that, by using sandboxing, you can restrict access an application can have to operating system resources like filesystem or network etc…

Apple offers two ways to use sandboxing:

  1. one is by using sandbox library straight in the source code of your application
  2. the other is by running an arbitrary application using external sandboxing commands.

In this article we analyse the second.

When should I use Application Sandboxing?

Sandbox applications that:

  • You don’t trust (for example applications you have downloaded from the internet that require you to allow their execution without being able to verify the source signature nor to check their source code)
  • Need to access external websites (and so, may download malicious content that may attempt to exploit your browser or its plugins)

By reducing access an application can have over your filesystem and resources helps to limit or even prevent (in some cases) the damages that an exploitation can do on your system.

Please note: Sandboxing does not eliminate the need for a good anti-virus system, it actually works in conjunction with your anti-virus software. This because by reducing the access level an application can have over your system you actually help the job of your anti-virus software.

I have got an anti-virus/firewall software, do I need sandboxing then?

YES if you are running untrusted applications or applications that may be exposed to malicious content (like Internet browsers, image previewers, PDF readers and so on). This because anti-virus software can generically detect no more than 60% (this number can vary over the years) of the total number of virus and spyware out there, so by using sandboxing in conjunction with a good anti-virus software is a good security practice. It is a good practice also on Mac OS X, which is continuously advertised as secure, but, in multiple occasions, resulted not to be so secure.

So, what exactly can I limit an application from accessing when sandboxing it?

On Mac OS X you can limit an application from performing the following type of operations:
  • File read and/or write
  • IPC (InterProcess Communication) via Posix and SysV
  • Mach
  • Network activity inbound, outbound (specifically general networking or internet access)
  • Process execution and/or fork
  • Signals handling
  • Sysctl changes
  • System features call

Last but no least…

Sandboxing applications is not as simple as just running a software program. Many applications may crash when too heavily sandboxed or when specific restrictions are put into place. So, it’s more of a “try and fail until it works” art and it takes some time to proper master sandboxing.

Apple Store downloaded applications are strictly controlled, but this still does NOT make you immune from IPC interception for example, which allow a malicious application to sniff data from vulnerable application (at the bottom of this page you’ll find a real-world example of this). So, by putting extra care in those rare cases when you need to execute an arbitrary application (especially the ones you may download from the internet and not the Apple Store or even some of the ones from the Apple Store amazingly wrapped by some really skilled hacker) it’s a very good practice. Again, Sandboxing is not a solution for all problems and if you want to know more about it have a look at http://www.trustedbsd.org.

How to sandbox an application?

To sandbox an existing application all you have to do is create a sandbox configuration file in order to tell to Mac OS X which resources you want the application to be able to access and use.

Please note: To find out which resources are necessary for your application to run fine is the “try and fail” process I mentioned before. So you’ll need to be patient and keep modifying your sandbox configuration file until everything will work as you want and as your application needs.

Sandbox configuration file syntax

The sandbox configuration file is divided into multiple sections (one per resource macro category).

The “;” symbol indicates a comment line.

The commands/directives syntax is similar to LISP programming language syntax. In other words they are always between ( ) (parentheses) where the first element after the first “(” identify the subject and the subsequent ones either its parameters or its alterations.

You can import another configuration file using the “import” command and specifying where to find the file on your computer (file path and file name).  Apple provides pre-built configurations, but they tend to change their position on every new Mac OS update, so please try to find them on your system.

Sandbox configuration file example

Below an example of sandboxing configuration file that you can use as base for your own one (please replace MyApp with the application name you’re trying to sandbox):

;; This is my first sandbox configuration file!
(version 1) 
(deny default)

;; Let's allow file read and write in specific locations and not 
;; all over my filesystem!
;; Please note you can add more (regex "^/Users/user_name/xxxxxxxxxxx") lines depending 
;; on what your MyApp needs to function properly.
(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/user_name/[Directories it requires to write and read from]")
  (regex "^/Applications/MyApp.app")
  (regex "^(/private)?/tmp/"))

;; You can also add a separate section for reading and writing files outside your
;; user_name account directory.
(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/System/Library")
  (regex "^/Applications/MyApp.app")
  (regex "^/usr/lib")
  (regex "^/var")
  (regex "^/Users/user_name"))

;; If your MyApp requires to access sysctl (in read)
(allow mach* sysctl-read)

;; If you want to import extra rules from 
;; an existing sandbox configuration file: 
(import "/usr/share/sandbox/bsd.sb")

;; If you want to decide in which filesystem paths 
;; MyApp is forbidden to write:
(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
	 #"^/usr/share/zoneinfo/"))

;; If your MyApp wants to run extra processes it's be allowed to run only
;; child processes and nothing else
(allow process-exec 
  (regex "^/Applications/MyApp.app"))

;; If your MyApp requires network access you can grant it here:
(allow network*)

How to use a sandbox configuration file

Once we have done with our sandbox configuration file for your application, you can simply execute your application in the sandbox by using the following command from the command line:

sandbox-exec -f myapp-sandbox-conf /Applications/MyApp.app/Contents/MacOS/MyApp-bin

Where myapp-sandbox-conf is the name of your sandbox configuration file and MyApp is the name of the application your want to run in the sandbox.

For more info

If my generic sandbox file will be too generic for you and you want more practical examples (already implemented) then run your terminal application and have a look to all the examples already kindly provided by Apple:

ls /usr/share/sandbox

In this directory you’ll find plenty of files like

sshd.sb

To look into and have more insight/tutorial to write your own sandbox configuration file for your specific application.

That’s all folks, happy hacking!

[Quick Edit to add some security resources about sandboxing]

In case of any possible comment/thoughts about the native security offered by Mac OS X (included Yosemite), please look at this article before posting any comment on that matter.

Also have a look at this one which is a useful source of information and how critical is securing IPC to help avoiding password stealing.

[/Quick Edit]

If you want to have a look at a practical example then see this other article of mine: https://paolozaino.wordpress.com/2015/10/20/maximum-security-and-privacy-using-mac-os-sandbox-and-tor-browser-bundle/

Thanks for reading and, if you enjoyed this post, please support my blog by visiting my on-line hacking and engineering merchandise shop on redbubble.com by clicking here, thank you! 🙂

23 thoughts on “macOS: How to run your Applications in a Mac OS X sandbox to enhance security

  1. Pingback: Maximum security and privacy using Mac OS sandbox and Tor browser bundle | Paolo Fabio Zaino's Blog

  2. Pingback: Doing app builds in a sandbox * Best Wordpress Themes - Reviews

  3. What everyone doesn’t get is where does this creation take place ie: in terminal?? in a text editor??? and most of all you left out where the file.sb actually goes. This instruction leaves many people wondering where and what you are talking about because you just assume that everyone knows where to build and what tool is used to write the .sb file. Sorry to say this but this tutorial has no beginning and has no end.
    Even if we were to use your example exactly as written and changing MyApp…. people still wouldn’t know where to put the file.

    Like

    • Dave, thanks for reading my blog.

      To answer your questions:

      Q: Where the creation/editing takes place?
      A: In a text editor (you know the tool used to edit text files on every computer in the world)

      Q: Which editor to use?
      A: Any text editor (macOS comes with terminal based and GUI based editors, your choice)

      Q: Where to file.sb goes?
      A: Wherever you like and remember

      If you don’t know how to run manual commands on a modern computer, then remember to open your terminal application to do so.

      If you are not familiar with file editing on a modern computer then please read this other article where there is a practical example (sandboxing Tor Browser) and the file is provided via github.com so no need to edit anything. Since the application that most like “everyone” (to use your language) may want to sandbox is a web browser the example below is very good:

      https://paolozaino.wordpress.com/2015/10/20/maximum-security-and-privacy-using-mac-os-sandbox-and-tor-browser-bundle/

      One last and very important comment about posting on FREE and USEFUL information on the internet: I can understand that it may be frustrating for some user (especially beginners) to use such infos/code etc… BUT please try to remember that these info/code are provided for free and for your benefit, so keeping the tone relaxed is an important form of respect for who has been spending time to help others for free.

      Like

  4. Thanks for this tutorial. I keep getting permission denied when I try to run this. Not sure what I am doing wrong. Just changed the name of the app and file locations. Any common reasons I might be getting this error?

    Liked by 1 person

    • Hi David,
      thanks for reading my blog and for your comment.

      Usually permission denied error (if reported by the sandboxed application when you try to run it) means that you need to ease your restrictions as the sandbox has forbidden the app from accessing a path or a directory or a file it needs to work properly.

      Unfortunately each Application has its own requirements so it’s up to you to find out which files and paths are being access by the application you want to sandbox.

      In another article I have provided a practical example with sandboxing Tor Browser (which is constantly being attacked for various reasons and so it’s a perfect candidate to sandbox). That article may help you to have more details or just an example.

      Hope this helps,
      regards

      Like

  5. Is there any way to use sandboxing to force internet traffic for an app to go through a proxy / VPN / ssh tunnel? Looking for a ‘light’ way to isolate streams without a full VM.

    Liked by 1 person

    • Hi,
      Sandboxing only allows users or developers to set “behavioural” rules for an app, like disk access or network access etc…

      If you need to remap sockets access from a user point of view, so that you can set/force an app to use a specific proxy without changing it’s code then you may want to use a software like ProxyCap. Here is the link to it (please note they appear NOT supporting HTTPS so be extremely careful in downloading any executable from a non-encrypted source):
      http://www.proxycap.com

      Best regards

      Like

      • Unfortunately ProxyCap is closed source, so I’m not comfortable installing it, especially for such critical use in security / privacy. Any other (Open Source) ideas?

        Liked by 1 person

  6. Hi. Thank you for this instruction!
    Does this article still actual for Mac Os Catalina (10.15.2)?
    May be you have GUI to provide this settings more comfortable?

    Liked by 1 person

    • Hi,
      thanks for your comment.

      I haven’t tested on Catalina yet, honestly had no time, however I don’t see why it should not work on Catalina.

      Please make sure you can reach the pre-config files if you are going to use any, Apple is known for changing their position at every macOS upgrade.

      If you want an example of use I have written an article with a practical example, link is above somewhere.

      No GUI sorry, the biggest problem with that is that then I’ll have to maintain such a config creator program and honestly I don’t have time left for such activity.

      For latest release of the example script please refer to my github repository.

      Thanks and good luck!

      Like

  7. This is a wonderful article, thank you for this. I have been looking for a way to ensure an app is launched in sandboxed-mode with a custom configuration file, by double-clicking in the finder, or double-clicking a document to launch the app. Launching the app sandboxed via the terminal is fine, but might you know if it’s posslble to launch sandboxed via all the GUI methods of launching an app (double click, click in Dock, click on document, etc)?

    Liked by 1 person

    • Hi, thanks for reading!

      Have you tried to use Apple Script Automation to run the sandbox you’ve just created? It does exactly what you’re asking for (creates a double-clickable icon) and you still have the benefit of the script described in this article so you can improve it over-time.

      As for fully build Apps for this, multiple people have asked, but again the Apple Script Automation does exactly this and if you need to ask for input to a user it will generate input windows for you etc.

      Hope this helps and if it turns out to be too hard to use the technique above, please let me know and I’ll add an article on how to use Apple Script Automation, but I am pretty sure it’s already been covered by many others.

      Good luck! 🙂

      Like

  8. Hi there,

    Thanks for the great article!

    I’ve started playing with the sandbox (sandbox-exec in particular) and it’s a really great tool. I’m using it to sandbox dev environments, so that all executables are sandboxed by default to only access the local subpath.

    I’m running into some issues however. In particular, it looks like sandboxes cannot be nested:

    “`
    ~$ /usr/bin/sandbox-exec -p ‘(version 1)(allow default)’ echo hello
    hello
    ~$ /usr/bin/sandbox-exec -p ‘(version 1)(allow default)’ /usr/bin/sandbox-exec -p ‘(version 1)(allow default)’ echo hello
    sandbox-exec: sandbox_apply: Operation not permitted
    “`

    I haven’t managed to figure out if the (top) sandbox profile needs some special spells, or if this is simply not possible because of technical reasons.

    This is an issue because some tools (like a headless chrome used for frontend tests) have a baked-in sandbox. In some cases the sandbox can simply be disabled for those tools, but that’s not ideal. In a perfect world, the sandboxes would compose!

    Did you ever get something like this to work? Where would I look? I’ve also asked the Chrome folks: https://bugs.chromium.org/p/chromium/issues/detail?id=1237443

    Liked by 1 person

    • Thanks Mattia,

      “`
      ~$ /usr/bin/sandbox-exec -p ‘(version 1)(allow default)’ echo hello
      hello
      ~$ /usr/bin/sandbox-exec -p ‘(version 1)(allow default)’ /usr/bin/sandbox-exec -p ‘(version 1)(allow default)’ echo hello
      sandbox-exec: sandbox_apply: Operation not permitted
      “`

      The problem in your particular case seems to be that “sandbox-exec” requires privileges you are not passing and so “boom” it gets stopped.

      I am not sure why would you want to nest sandboxes, however please note that sandbox-exec is now deprecated. My article is from 2015 and we are now in 2021, so pretty old at this point. Yes sandbox-exec is still working, but it may be starting to phase out. When apple deprecate a tool it usually takes many years before it’s actually removed completely. However worth mentioning it.

      This is an issue because some tools (like a headless chrome used for frontend tests) have a baked-in sandbox. In some cases the sandbox can simply be disabled for those tools, but that’s not ideal. In a perfect world, the sandboxes would compose!

      Yes Apple prefers and recommends to use sandboxing from the code itself (which is a better approach because the software developers should know which resources his/her programs actually really need to run. However the point of sandboxing from a user perspective is to limit either malicious apps or reduce their surface attack.

      With this in mind, why do you need to sandbox a frontend test system?

      In any case, if you need nested sandboxing why not to use containers? or even better VMs?

      Hope this helps, all the best,
      – Paolo

      Like

      • Hi Paolo, thanks for the reply!

        > The problem in your particular case seems to be that “sandbox-exec” requires privileges you are not passing and so “boom” it gets stopped.

        Turns out it’s not a privilege issue; sandboxes simply can’t be nested, or so it seems: https://bugs.chromium.org/p/chromium/issues/detail?id=1237443#c1

        > I am not sure why would you want to nest sandboxes, however please note that sandbox-exec is now deprecated. My article is from 2015 and we are now in 2021, so pretty old at this point. Yes sandbox-exec is still working, but it may be starting to phase out. When apple deprecate a tool it usually takes many years before it’s actually removed completely. However worth mentioning it.

        Right, it is officially deprecated, but the new sandbox mechanism seems to rely on it. Chrome and Bazel both use it. There was a great article on (I think) the Bazel blog about why they were willing to take the risk, but I can’t find it right now. 🙈

        > Yes Apple prefers and recommends to use sandboxing from the code itself (which is a better approach because the software developers should know which resources his/her programs actually really need to run. However the point of sandboxing from a user perspective is to limit either malicious apps or reduce their surface attack.

        I’m not sure what you mean by “use sandboxing from the code itself”. Are you referring to initiating the sandbox from within the code with sandbox_init? I did read that this was not recommended, and that /usr/bin/sandbox-exec should be used instead.

        > With this in mind, why do you need to sandbox a frontend test system?

        When I do development, I like installing tools per-project, in a sandboxed way. That is, e.g. npm should only have access to `/Users/me/my-npm-project` and up. This works well in practice, except when Chrome is involved (or other tools that use the sandbox as well).

        > In any case, if you need nested sandboxing why not to use containers? or even better VMs?

        I’m on macOS, and the perform drop is quite huge (both in containers and VMs since containers run inside a VM)!

        > Hope this helps, all the best,

        It does, thanks!

        Like

      • Hi Mattia,

        > Turns out it’s not a privilege issue; sandboxes simply can’t be nested, or so it seems: https://bugs.chromium.org/p/chromium/issues/detail?id=1237443#c1

        What I meant with “privileges” is exactly that. The sandboxing engine basically creates a “complete operating system userland” around a process. Therefore whatever is executed within a sandbox (including another sandbox) won’t have enough privileges to talk with the host and therefore nest another userspace in the already virtualised userspace. Hope this is more clear. Hence what people say “it cannot nest”. However, if one thinks about it, this is a good thing. While Snadboxing can be classified as a Virtualisation technique, its goal is not “to share host resources”, instead its goal is to minimise host attack surface.

        > I’m not sure what you mean by “use sandboxing from the code itself”. Are you referring to initiating the sandbox from within the code with sandbox_init? I did read that this was not recommended, and that /usr/bin/sandbox-exec should be used instead.

        I mean use Apple Sandbox, which is not deprecated and is actually a requirement to distribute macOS apps on the Apple Store: https://developer.apple.com/documentation/security/app_sandbox

        > I’m on macOS, and the perform drop is quite huge (both in containers and VMs since containers run inside a VM)!

        Ha, I see now, yes it makes sense then, but unfortunately I think macOS sandbox is not the answer to your problem.

        > It does, thanks!

        Cool, and again thanks for reading and glad to hear it was useful to you, all the best!

        Like

Leave a Reply or Ask a Question

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.