Friday, June 26, 2009

Meet Mac's "sandbox-exec"

I was working on something to block outgoing connections for one particular app *only*. And I use a mac, leopard... the first place I went to look was System Preferences -> Security -> Firewall pane. And I was disappointed to find no "Block Outgoing Connections"
It can only block incoming connections. Anyway...

Then I met sandbox-exec :) It runs apps in a sandbox, which you can define to restrict access to different resources, network, file-systems etc Here's a simple sandbox file which denies network access...



(version 1)
(allow default)
(deny network*)



Running sandbox-exec with the above file will deny all network access to your app, both outgoing and incoming. Here's a screenshot example showing running bash with and without it:



$ ping -t3 google.com
PING google.com (74.125.67.100): 56 data bytes
64 bytes from 74.125.67.100: icmp_seq=0 ttl=49 time=368.312 ms
64 bytes from 74.125.67.100: icmp_seq=1 ttl=49 time=318.240 ms
64 bytes from 74.125.67.100: icmp_seq=2 ttl=49 time=319.793 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 318.240/335.448/368.312/23.247 ms
$
$
$ cat block-network.sb
(version 1)
(allow default)
(deny network*)
$
$ sandbox-exec -f block-network.sb /bin/bash
$ ping -t3 google.com
bash: /sbin/ping: Operation not permitted
$ ping -t3 yahoo.com
bash: /sbin/ping: Operation not permitted
$ ping -t3 apple.com
bash: /sbin/ping: Operation not permitted
$ exit
exit
$ ping -t3 google.com
PING google.com (74.125.67.100): 56 data bytes
64 bytes from 74.125.67.100: icmp_seq=0 ttl=49 time=321.997 ms
64 bytes from 74.125.67.100: icmp_seq=1 ttl=49 time=321.350 ms
64 bytes from 74.125.67.100: icmp_seq=2 ttl=49 time=321.676 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 321.350/321.674/321.997/0.264 ms
$




If you want to write more sophisticated sandbox files, you should probably check out the files present in /usr/share/sandbox/


Enjoy...

No comments:

Post a Comment