Restricting child process sandbox

Hello,

I have an application which is running sandboxed and it also launches a child processes via posix_spawn. I already learned that child processes are running in the same sandbox as the launching application.

What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship?

My use case is that helper applications doesn't need access to bunch of stuff the parent needs and we want to limit blast radius in case of security problem. I know that's what XPCServices are for, but we have a multi-platform code which is relying on POSIX process model quite heavily.

Thank you

Answered by DTS Engineer in 781939022

What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship?

No.

Note We don’t support custom sandboxes at all. That’s because, while the sandbox_init routine is public (albeit deprecated) API, the sandbox profile format has never been documented publicly. That doesn’t stop some folks using it though.

I know that's what XPCServices are for

Correct.

we have a multi-platform code which is relying on POSIX process model quite heavily.

I’m sure that’s nothing that another layer of abstraction can’t fix (-:

Seriously, it is possible to pass file descriptors over an XPC connection, so if your abstraction was ‘launch this child process in this environment and give me back some pipes connected to it’, it would be feasible to build that on top of XPC on macOS and Posix APIs on other platforms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Also have to add that from experimentation I learned that basically once sandbox_init[1][2] is called in the parent process, a child can't init its own sandbox, any attempt to re-init will fail.

[1] Doesn't matter if triggered by entitlements via libsecinit or manually calling sandbox_init in the main()[2] The role of com.apple.security.inherit was for long time lost on me, it seems its sole role is to prevent libsecinit to init a sandbox when com.apple.security.app-sandbox is present :)
Accepted Answer

What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship?

No.

Note We don’t support custom sandboxes at all. That’s because, while the sandbox_init routine is public (albeit deprecated) API, the sandbox profile format has never been documented publicly. That doesn’t stop some folks using it though.

I know that's what XPCServices are for

Correct.

we have a multi-platform code which is relying on POSIX process model quite heavily.

I’m sure that’s nothing that another layer of abstraction can’t fix (-:

Seriously, it is possible to pass file descriptors over an XPC connection, so if your abstraction was ‘launch this child process in this environment and give me back some pipes connected to it’, it would be feasible to build that on top of XPC on macOS and Posix APIs on other platforms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Restricting child process sandbox
 
 
Q