hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox
2023-06-08 17:55:49 +00:00
..
macos-sandbox-debug-and-bypass.md Translated ['README.md', 'macos-hardening/macos-security-and-privilege-e 2023-06-08 17:55:49 +00:00
README.md Translated to French 2023-06-03 13:10:46 +00:00

Bac à sable macOS

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Informations de base

Le bac à sable macOS (initialement appelé Seatbelt) limite les applications s'exécutant dans le bac à sable aux actions autorisées spécifiées dans le profil Sandbox avec lequel l'application s'exécute. Cela contribue à garantir que l'application n'accédera qu'aux ressources attendues.

Toute application avec l'autorisation com.apple.security.app-sandbox sera exécutée dans le bac à sable. Les binaires Apple sont généralement exécutés dans un bac à sable et pour publier dans l'App Store, cette autorisation est obligatoire. Ainsi, la plupart des applications seront exécutées dans le bac à sable.

Pour contrôler ce qu'un processus peut ou ne peut pas faire, le bac à sable a des hooks dans tous les appels système à travers le noyau. Selon les autorisations de l'application, le bac à sable autorise certaines actions.

Certains composants importants du bac à sable sont :

  • L'extension de noyau /System/Library/Extensions/Sandbox.kext
  • Le framework privé /System/Library/PrivateFrameworks/AppSandbox.framework
  • Un démon s'exécutant dans l'espace utilisateur /usr/libexec/sandboxd
  • Les conteneurs ~/Library/Containers

Dans le dossier des conteneurs, vous pouvez trouver un dossier pour chaque application exécutée dans le bac à sable avec le nom de l'ID de bundle :

ls -l ~/Library/Containers
total 0
drwx------@ 4 username  staff  128 May 23 20:20 com.apple.AMPArtworkAgent
drwx------@ 4 username  staff  128 May 23 20:13 com.apple.AMPDeviceDiscoveryAgent
drwx------@ 4 username  staff  128 Mar 24 18:03 com.apple.AVConference.Diagnostic
drwx------@ 4 username  staff  128 Mar 25 14:14 com.apple.Accessibility-Settings.extension
drwx------@ 4 username  staff  128 Mar 25 14:10 com.apple.ActionKit.BundledIntentHandler
[...]

À l'intérieur de chaque dossier d'identifiant de bundle, vous pouvez trouver le fichier plist et le répertoire Data de l'application :

cd /Users/username/Library/Containers/com.apple.Safari
ls -la
total 104
drwx------@   4 username  staff    128 Mar 24 18:08 .
drwx------  348 username  staff  11136 May 23 20:57 ..
-rw-r--r--    1 username  staff  50214 Mar 24 18:08 .com.apple.containermanagerd.metadata.plist
drwx------   13 username  staff    416 Mar 24 18:05 Data

ls -l Data
total 0
drwxr-xr-x@  8 username  staff   256 Mar 24 18:08 CloudKit
lrwxr-xr-x   1 username  staff    19 Mar 24 18:02 Desktop -> ../../../../Desktop
drwx------   2 username  staff    64 Mar 24 18:02 Documents
lrwxr-xr-x   1 username  staff    21 Mar 24 18:02 Downloads -> ../../../../Downloads
drwx------  35 username  staff  1120 Mar 24 18:08 Library
lrwxr-xr-x   1 username  staff    18 Mar 24 18:02 Movies -> ../../../../Movies
lrwxr-xr-x   1 username  staff    17 Mar 24 18:02 Music -> ../../../../Music
lrwxr-xr-x   1 username  staff    20 Mar 24 18:02 Pictures -> ../../../../Pictures
drwx------   2 username  staff    64 Mar 24 18:02 SystemData
drwx------   2 username  staff    64 Mar 24 18:02 tmp

{% hint style="danger" %} Notez que même si les liens symboliques sont là pour "s'échapper" du Sandbox et accéder à d'autres dossiers, l'application doit toujours avoir les autorisations pour y accéder. Ces autorisations sont à l'intérieur du fichier .plist. {% endhint %}

# Get permissions
plutil -convert xml1 .com.apple.containermanagerd.metadata.plist -o -

# In this file you can find the entitlements:
<key>Entitlements</key>
	<dict>
		<key>com.apple.MobileAsset.PhishingImageClassifier2</key>
		<true/>
		<key>com.apple.accounts.appleaccount.fullaccess</key>
		<true/>
		<key>com.apple.appattest.spi</key>
		<true/>
[...]

# Some parameters
<key>Parameters</key>
	<dict>
		<key>_HOME</key>
		<string>/Users/username</string>
		<key>_UID</key>
		<string>501</string>
		<key>_USER</key>
		<string>username</string>
[...]

# The paths it can access
<key>RedirectablePaths</key>
	<array>
		<string>/Users/username/Downloads</string>
		<string>/Users/username/Documents</string>
		<string>/Users/username/Library/Calendars</string>
		<string>/Users/username/Desktop</string>
[...]

Profils Sandbox

Les profils Sandbox sont des fichiers de configuration qui indiquent ce qui est autorisé/interdit dans cette Sandbox. Il utilise le langage de profil Sandbox (SBPL), qui utilise le langage de programmation Scheme.

Voici un exemple :

(version 1) ; First you get the version

(deny default) ; Then you shuold indicate the default action when no rule applies

(allow network*) ; You can use wildcards and allow everything

(allow file-read* ; You can specify where to apply the rule
    (subpath "/Users/username/")
    (literal "/tmp/afile")
    (regex #"^/private/etc/.*")
)

(allow mach-lookup
    (global-name "com.apple.analyticsd")
)

{% hint style="success" %} Consultez cette recherche pour vérifier d'autres actions qui pourraient être autorisées ou refusées. {% endhint %}

Des services système importants s'exécutent également dans leur propre bac à sable personnalisé tels que le service mdnsresponder. Vous pouvez voir ces profils de bac à sable personnalisés dans:

Les applications de l'App Store utilisent le profil /System/Library/Sandbox/Profiles/application.sb. Vous pouvez vérifier dans ce profil comment les autorisations telles que com.apple.security.network.server permettent à un processus d'utiliser le réseau.

SIP est un profil de bac à sable appelé platform_profile dans /System/Library/Sandbox/rootless.conf

Exemples de profils de bac à sable

Pour démarrer une application avec un profil de bac à sable spécifique, vous pouvez utiliser:

sandbox-exec -f example.sb /Path/To/The/Application

{% code title="touch.sb" %}

Sandbox for the touch command

(version 1)

(deny default)

(allow file-read-data file-read-metadata (regex #"^/usr/share/locale/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Desktop/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Documents/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Downloads/.*"))

(allow file-write-data (regex #"^/private/tmp/.*"))

(allow file-write-data (regex #"^/var/tmp/.*"))

(allow file-write-data (regex #"^/tmp/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Library/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Music/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Pictures/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Public/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Sites/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Applications/.*"))

(allow file-write-data (regex #"^/Users/[^/]+/Movies/.*"))

(allow file-write

(version 1)
(deny default)
(allow file* (literal "/tmp/hacktricks.txt"))

{% endcode %} (This is a markdown tag and should not be translated)

# This will fail because default is denied, so it cannot execute touch
sandbox-exec -f touch.sb touch /tmp/hacktricks.txt
# Check logs
log show --style syslog --predicate 'eventMessage contains[c] "sandbox"' --last 30s
[...]
2023-05-26 13:42:44.136082+0200  localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) process-exec* /usr/bin/touch
2023-05-26 13:42:44.136100+0200  localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /usr/bin/touch
2023-05-26 13:42:44.136321+0200  localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /var
2023-05-26 13:42:52.701382+0200  localhost kernel[0]: (Sandbox) 5 duplicate reports for Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /var
[...]

{% code title="touch2.sb" %}

(version 1)
(deny default)
(allow file* (literal "/tmp/hacktricks.txt"))
(allow process* (literal "/usr/bin/touch"))
; This will also fail because:
; 2023-05-26 13:44:59.840002+0200  localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-metadata /usr/bin/touch
; 2023-05-26 13:44:59.840016+0200  localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /usr/bin/touch
; 2023-05-26 13:44:59.840028+0200  localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /usr/bin
; 2023-05-26 13:44:59.840034+0200  localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-metadata /usr/lib/dyld
; 2023-05-26 13:44:59.840050+0200  localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) sysctl-read kern.bootargs
; 2023-05-26 13:44:59.840061+0200  localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /

{% code title="touch3.sb" %}

(version 1)
(deny default)
(allow file* (literal "/private/tmp/hacktricks.txt"))
(allow process* (literal "/usr/bin/touch"))
(allow file-read-data (literal "/"))
; This one will work

{% endcode %} {% endtab %} {% endtabs %}

{% hint style="info" %} Notez que le logiciel développé par Apple qui s'exécute sur Windows n'a pas de précautions de sécurité supplémentaires, telles que l'application de sandbox. {% endhint %}

Exemples de contournement :

Débogage et contournement de la sandbox

Les processus ne naissent pas sandboxés sur macOS : contrairement à iOS, où la sandbox est appliquée par le noyau avant la première instruction d'un programme, sur macOS un processus doit élire de se placer dans la sandbox.

Les processus sont automatiquement sandboxés depuis l'espace utilisateur lorsqu'ils démarrent s'ils ont l'attribution : com.apple.security.app-sandbox. Pour une explication détaillée de ce processus, consultez :

{% content-ref url="macos-sandbox-debug-and-bypass.md" %} macos-sandbox-debug-and-bypass.md {% endcontent-ref %}

Vérifier les privilèges PID

Selon cela, sandbox_check (c'est un __mac_syscall), peut vérifier si une opération est autorisée ou non par la sandbox dans un certain PID.

L'outil sbtool peut vérifier si un PID peut effectuer une certaine action :

sbtool <pid> mach #Check mac-ports (got from launchd with an api)
sbtool <pid> file /tmp #Check file access
sbtool <pid> inspect #Gives you an explaination of the sandbox profile
sbtool <pid> all

Profils SBPL personnalisés dans les applications de l'App Store

Il est possible pour les entreprises de faire fonctionner leurs applications avec des profils Sandbox personnalisés (au lieu du profil par défaut). Elles doivent utiliser l'entitlement com.apple.security.temporary-exception.sbpl qui doit être autorisé par Apple.

Il est possible de vérifier la définition de cet entitlement dans /System/Library/Sandbox/Profiles/application.sb:

(sandbox-array-entitlement
  "com.apple.security.temporary-exception.sbpl"
  (lambda (string)
    (let* ((port (open-input-string string)) (sbpl (read port)))
      (with-transparent-redirection (eval sbpl)))))

Cela évaluera la chaîne après cette autorisation en tant que profil Sandbox.

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥