-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sandboxing on MacOS is too strict #3659
Comments
Do you need domain sockets for builds, or just for running tests? |
It is the build system itself that uses unix sockets, so I need it for potentially everything. |
For context: the build system is remake, created by @silene, as a mix of @silene: my current understanding is that your proposal is fairly reasonable: I see no strong security need to prevent local sockets during build. Would you send an actual Pull Requet with your proposed sandboxing-script changes? |
This commit allows applications to use unix socket. It also allows them to write to /dev/dtracehelper. This permission is not strictly needed, as no program is broken by a denied access. However, MacOS' dynamic loader (hence almost all the applications) wants to access it, so the system logs are flooded by messages such as "SandboxViolation: sh(49331) deny(1) file-write-data /dev/dtracehelper" when using opam.
Thanks for the report and contribution! |
This does look like it'll allow access to any domain sockets even outside of the build root. From a security perspective, it might be nice to refine this to only allow the sockets to be dropped in the opamroot. remake appears to support setting REMAKE_SOCKET to a suitable value. My general worry is that we're widening the attack surface on osx a lot with this patch. There are an awful lot of services listening on domain sockets throughout the system... |
How so? The file corresponding to the socket still needs to be accessible.
No, the environment variable
Sure, but how many of them are in directories accessible from the sandbox? The issue is not that an application inside the sandbox can use unix sockets. The issue is that an application inside the sandbox can use unix sockets that should have been outside the sandbox. |
I believe the current sandbox offers read-only access to the whole filesystem; it's only file writes that are restricted. So with this change, socket connects anywhere in the filesystem will probably just work. Previously this wasn't the case since the whole class of connectivity was denied.
Indeed, that's even better -- opam could just let sockets be connected to from the opam sandbox and tmpdir to let remake work without modifications. |
This commit allows applications to use unix socket. It also allows them to write to /dev/dtracehelper. This permission is not strictly needed, as no program is broken by a denied access. However, MacOS' dynamic loader (hence almost all the applications) wants to access it, so the system logs are flooded by messages such as "SandboxViolation: sh(49331) deny(1) file-write-data /dev/dtracehelper" when using opam.
On MacOS,
sandbox-exec
is called with the policy(deny network*)
, which breaks programs that rely on unix sockets for inter-process communications. Here is an example of the needed permissions:Adding
(allow network* (remote unix))
after(deny network*)
insrc/state/shellscripts/sandbox_exec.sh
seems to be sufficient and it should still forbid applications from actually accessing the network.The text was updated successfully, but these errors were encountered: