If you like this, you can use flattr. ;)
- Quickpost: Inspiring Windows software profilers and checkers
- 0x41 - back to bugs
- low footprint/hardware assisted virtualization with Linux and GrSec
- Postfix troubleshooting - a security nightmare
- New content soon
- 0x41 - (weekly) exploitation matters - Vista Heap, scripting debuggers with debug libs and how to learn to use that knowledge
- 0x41 - weekly exploitation matters - Shellcode and frameworks
- Explicit and implicit security in software development - measures and change
- 0x41 - weekly exploitation matters - Heap overflow fundamentals
- 0x41 - weekly exploitation matters - About
- wishinet: http://www.godblock.com/#what "block sexual, and psychologically harmful material" like "holy texts". Protect "from being indoctrinated"
- wishinet: Load average: 23.69 20.11 14.95 - jepp, this is obviously bad.
- wishinet: http://img2.moonbuggy.org/imgstore/ethernet-killer.jpg
- wishinet: According to my 400d stats the most viewed page at my blog is phpids's xss warning. You can do better! :)
- wishinet: I'm super-hungry after some meditation... guess this isn't normal. :-) 0xf000000d
UnprotectedHex - about formal software verification
Sean's blog
Xecurity - a security feed collecter
Reddit RCE group
Freedom To Tinker
Emergent Chaos
Woodmann RCE forums
OpenRCE community forums
SecViz - security data visualization
DAVIX Live - for security metrics
Hex Live
Security Metrics
Immunity's Free Software
Core Security's OpenSouce research
Zynamics Blog
Applying sandbox-exec around Safari with a single click
Wed, 03/18/2009 - 00:09 | wishi
txtIsolating it
To a certain degree it makes sense to allow the web-browser accessing all readable files on the system. But JUST to a certain degree. Todays threats evolve to target web-browsers' interactive functions. Safari has vulnerabilities.
In any case the following restriction-set is just an experiment. sandbox-exec is an Apple utility that isolates certain services and applications since MacOS Leopard. Maybe it won't be there tomorrow. It's not officially documented and developers aren't encouraged to use sandbox.h jet, as far as I know. Nevertheless the Google NativeClient project is going to use it as the "Outer Sandbox" as far as I'm concerned.
The Launcher
Create the following Apple-Script:
do shell script "sandbox-exec -f /Users/wishi/policies/sandbox-safari.sb /Applications/Safari.app/Contents/MacOS/Safari"
Change the pathname after the -f parameter. I guess your Safari, if you aren't using version 4 in the developer preview, is in /Applications. If you're using the version 4 preview: I just tested it with 3.2.1. Latter works fine.
The .sb policy
You can find similar policy files at several places. I didn't create this entirely. - just stole here and there ;).
(version 1)
(debug deny) ; Use (debug all) to see every action)
(allow network-outbound)
(allow signal)
(allow ipc-posix-shm) ; Needed for POSIX shared memory
;(allow process-exec (regex #"^/Applications/Safari.app/*"))
(allow sysctl-read)
(allow file-read-metadata)
(allow signal)
(allow process*)
;(allow mach*)
(allow mach-lookup)
;(allow process-exec (regex "^/System/Library/CoreServices/*"))
;; Allow to read these files:
(allow file-read*
(regex
#"^/Users/wishi/$"
#"^/Users/wishi/Downloads"
#"^/Users/wishi/Library"
#"^/Users/wishi/Public"
#"^/Users/wishi/Sites"
#"^/Applications/Safari.app"
#"^/Library/*"
#"^/System/Library/*"
#"^/usr/lib/*"
#"^/usr/share/*"
#"^/private/*"
#"^/dev/*"
)
)
;; Allow to write these files:
(allow file-write*
(regex
#"^/Users/wishi/Downloads/*"
#"^/Volumes/foo/bar/*"
#"^/Users/wishi/Library/.*"
#"^/private/var/*"
#"^/dev/dtracehelper"
)
)
(deny default)
Change the path stuff according to your system setup. Your username isn't wishi. So your Home-directory differs.
Save this file in ~/policies for example. Now save the Apple-Script as a .app-program with the Scripteditor.app. Move the program to /Applications, drag it into the Dock. Ready!
Have fun,
wishi
Post new comment