S 4.375 Use of the sandbox function under Mac OS X

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The Mac OS X operating system is equipped with a sandbox function. A sandbox function allows execution of a process in its own restricted environment in which it is shielded completely against the rest of the IT system. Thus, it is, for instance, possible to withdraw the network or file access from the application locked in a sandbox in order to minimise the potential extent of damage in the event of a malfunction of the process. The sandbox function is a further restriction and does not disable any underlying limitations such as access control lists. Thus, a sandbox cannot allow anything which was restricted by other techniques; it is rather a very delicate option to test the effects on program and to specifically restrict their effects.

It is recommended to test new programs or services participating in a network communication in a sandbox before being used on a productive system. If a new child process is started in the sandbox, it inherits the restrictions of the sandbox. When, for example, Safari is run in a sandbox and a PDF file prepared by malicious software is downloaded by the browser and opened automatically, then the restricted rights of the sandbox are accepted for the execution of the PDF file and the potential extent of damage is limited considerably.

When users can only use the browser in a sandbox, it is also possible to prevent the installation of not yet approved plug-ins in this manner, since the browser is in the original state again after each reboot. Which applications are to be executed within a sandbox must be defined and configured by the administrator.

The following command starts Safari in a sandbox without file access rights:

sandbox-exec -p "(version 1) (allow default) (deny file-write*)" /Applications/Safari.app/Contents/MacOS/Safari

If the command is supplemented by the (debug all) parameter, all actions can be viewed in the Console.app.

In addition, it is possible to create a sandbox profile to outsource all configuration parameters there. In the /usr/share/sandbox directory, there are several profile specifications for a sandbox defined for certain system services. If a corresponding profile is available and adapted to the local policies, the command to call an application could be as follows:

sandbox-exec -f /usr/share/sandbox/safari.sb /Applications/Safari.app/Contents/MacOS/Safari &

Review questions:

• Are the applications which are to run within a sandbox administrator specified?