The MacOSX sandbox functionality is not talked about, and there exists almost zero documentation on the subject. As Google Chrome uses it to contain it browser, so could any other app. The goal of the ironfox project is to provide the user with a secured Firefox, but still let the user browse the web without the sandbox interfering. It does this by white-listing all the actions that Firefox may do. Should the user’s browser be compromised by a vulnerability in Flash or Java, the sandbox would prevent it from leaking any data or executing binaries, preventing system compromise. To break the sandbox the attacker would likely need to have a exploit for the browser and a kernel exploit that would work within the context of the sandbox. The policy is included in the package and should give the user great insights in the workings of the sandbox. It only works in 10.6 but could be backported to 10.5 without much trouble, as both have the seatbelt/sandbox kernel module.
I must confess that I’m surprised Apple didn’t sound any fanfare about the sandbox feature. It’s only with this article that I came to see the first “thing” boasting out of using the sandbox. Yet, I’m using OS X at work.
Maybe they’re not that fond of the desktop market anymore. Not new and shiny enough.
Wonder if this wouldn’t be an argument in favor of Mac people claiming they have the “bigger security” (don’t want to start another useless OS war, so please refrain from arguing…).
Does anyone know which other Mac browsers (obviously, other than Ironfox and Chrome) are sandboxed?
It seems to be pretty much the same thing as SELinux.
SElinux is much more than the apple sandbox as selinux allows for a complete system policy, while the sandbox only allows for application policies.
If you want to compare this to something existing in linux, apparmor would be more correct – with one big difference.
Apparmor can force the user to use a secure/contained/sandbox:ed version of the program, while the sandbox requires that the user opts in. (Not true for launch agents though).
OTOH, the sandbox can be initiated from userland wihout any special privileges, while policy loading and control requires root access in apparmor.
> Does anyone know which other Mac browsers (obviously, other than Ironfox and Chrome) are sandboxed?
We (ROMAB, the IronSuite project guys) have a working Alpha of a sandbox for Safari5 in-house. Ive managed to get it to work with support for plain web browsing, PDF’s, Quicktime, and similar addons.
It will turn up on the IronSuite web page (www.romab.com/ironsuite) in some days time. As will sandbox profiles for Adium, Tweetdeck, Thunderbird, etc. All profiles come with the simplified BSD license.
I’m the Opera supporter around here so my question is: are you planning to sandbox Opera too?
It depends. Sandboxing opera shouldn’t be much of a problem, but maintaining and testing would. As nobody here uses opera (it lacks spnego) we would likely be poor maintainers.
That being said, we might do this but we are not promising anything.
I know that Chrome uses Windows provided security features to estimate a sandbox. Does anyone know where I can find documentation on this?
What does the Linux Chrome use to provide it’s sandboxing, if at all? It can’t assume SELinux is available?
The binary does link to libselinux.so.1
Edit: Apparently, the sandbox itself is created by a setuid root executable that simply creates an empty chroot jail (root being needed for chroot, but unavailable for Chrome).
Edited 2010-06-15 00:41 UTC
If you just want to write sandboxed code on Windows and are on Vista or later you can go with the Integrity Mechanism, which is apretty well-designed and comprehensive out-of-the-box feature:
http://msdn.microsoft.com/en-us/library/bb625964.aspx
On XP you can do the same thing, but it is rather hairy, since you need to mix several different mechanisms (job objects, alternate desktops). Which is where the Chromium sandbox library is great, you can actually build and use it independently of Chrome. Just grab the Chromium code, the sandbox folder is a stand-alone library, complete with some examples iirc. This stuff is a nice read on the topic:
http://www.chromium.org/developers/design-documents/sandbox/Sandbox…
http://www.chromium.org/developers/design-documents/sandbox
For Linux Chrome has a bunch of different approaches:
http://code.google.com/p/chromium/wiki/LinuxSandboxing
Unfortunately the ones that are always available (the SUID method) is pretty weak, notably allowing the sandboxed app network access (which, since it is local, means that it can access a lot of your local services). If SELinux is available you can use that and get more robust sandboxing though.