Datasäkerhet och Informationssäkerhet

Robert Malmgren AB

“Trust is good, control is better.”

a blog about unixy stuff and so on

2010/11/04

IronFox 0.8.2 Released - Among other things.

An interesting problem when running sandbox application wrappers is that you might have hard time confirming if your application is sandbox or not. The new policy (or more correctly, updated policy) forbids firefox from reading any information from your home directory, and will only display directories allowed for reading and writing (such as the Download-directory). Should you ever be in doubt, simply press cmd+o and if no files are present in the homedir, you can expect the browser to be sandboxed. (of course, you can always read /var/log/system.log if you are in debug mode :-)

The directory browser only displays the directories we are allowed to view

Another interesting property with macos is that network shares are displayed regardless if you allow them to be read or not. This of course does not mean that the firefox can access the share, as is displayed here:

The directory browser only displays the directories we are allowed to view

But what is happening behind the scenes? Let's find out what it is actually being denied here. Note that this list is bit shortened down to make it easier to read. If you want to know all the gory details, it is present in /var/log/system.log if you run ironfox in debug mode. Note that most of this stuff isnt in firefox, but in the api ff uses to access these resources.

sandboxd[13803]: firefox-bin(20023) deny mach-lookup com.apple.FSEvents
sandboxd[13803]: firefox-bin(20023) deny file-read-data /Users/andreas/Library/Preferences/com.apple.finder.plist

So the sandbox denies the browser access to the mach-port com.apple.FSEvents. We can guess by the names that this is finder related, and assume that finder wants to give us info about the smb share.

firefox-bin[20023]: __SCPreferencesCreate open() failed: Operation not permitted
/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: SCPreferencesCreate failed: Failed!
sandboxd[13803]: firefox-bin(20023) deny file-read-data /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
firefox-bin[20023]: __SCPreferencesCreate open() failed: Operation not permitted
sandboxd[13803]: firefox-bin(20023) deny file-read-data /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
sandboxd[13803]: firefox-bin(20023) deny file-read-data /Library/Filesystems/NetFSPlugins

Firefox complains that SCPreferencesCreate fails due to the lack of permission. No wonder. We are not allowed to read anything about smb/cifs.

/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: Failed to get user access for mount /Volumes/andreas
sandboxd[13803]: firefox-bin(20023) deny system-fsctl
sandboxd[13803]: firefox-bin(20023) deny file-read-data /private/var/db/smb.conf

Interesting, firefox is not allowed to access this usermount, and the sandbox denies it system-fsctl(2), which is a system call for manipulating the filresystem controlling mounted filesystem. We are also denied reading the samba configuration file.

/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: 1025 failures to open smb device: syserr = No such file or directory
/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: netfs_GetServerInfo returned 2
Firefox complains about the lack of a smb device. News for me that apple had one of those.
sandboxd[13803]: firefox-bin(20023) deny network-inbound 0.0.0.0:52129
sandboxd[13803]: firefox-bin(20023) deny file-read-data /dev/nsmb0

Firefox listening on my network? No. Here we also find the device that firefox was complaining about not being able to open.

/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: Failed to get user access for mount /Volumes/andreas
sandboxd[13803]: firefox-bin(20023) deny file-read-data /Library/Filesystems/NetFSPlugins
sandboxd[13803]: firefox-bin(20023) deny system-fsctl
sandboxd[13803]: firefox-bin(20023) deny file-read-data /private/var/db/smb.conf
sandboxd[13803]: firefox-bin(20023) deny network-inbound 0.0.0.0:59283
sandboxd[13803]: firefox-bin(20023) deny file-read-data /dev/nsmb0

Hmmm. It didn't work the first time, but the api will ensure that several attempts are done before it gives up.

/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: 1025 failures to open smb device: syserr = No such file or directory
sandboxd[13803]: firefox-bin(20023) deny file-read-data /dev/nsmb0
/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: 1025 failures to open smb device: syserr = No such file or directory
/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: netfs_GetServerInfo returned 2
sandboxd[13803]: firefox-bin(20023) deny mach-lookup com.apple.netauth.useragent
/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: SharePointBrowser::handleOpenCallBack returned -6600

Wow. SharePointBrowser. More news fore me. Firefox concludes that the returncode -6600 is not normal. The sandbox denies access to the IPC to mach port com.apple.netauth.useragent, which we can guess would have handled authorization for us to the share.

sandboxd[13803]: firefox-bin(20023) deny mach-lookup com.apple.netauth.useragent
sandboxd[13803]: firefox-bin(20023) deny network-inbound 10.100.100.88:55691
sandboxd[13803]: firefox-bin(20023) deny network-inbound 10.100.100.88:55690
firefox-bin[20023]: __SCPreferencesCreate open() failed: Operation not permitted
/Applications/IronFox.app/Contents/Resources/IronFox.app/Contents/MacOS/firefox-bin[20023]: SCPreferencesCreate failed: Failed!
sandboxd[13831]: firefox-bin(20023) deny mach-lookup com.apple.FSEvents

Another access atempt to the IPC com.apple.netauth.useragent is being denied, also the possibility to open listening sockets on my ip adress on port 55691 and 55690. SCPreferencesCreate fails, and we are still not allowed to access FSEvents. So there we go. A quick summary of what happens when you try to browse a network share in OSX when you are not allowed to.