hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-sandbox
2023-05-25 19:17:14 +00:00
..
macos-sandbox-debug-and-bypass.md GITBOOK-3945: change request with no subject merged in GitBook 2023-05-25 19:17:14 +00:00
README.md GITBOOK-3945: change request with no subject merged in GitBook 2023-05-25 19:17:14 +00:00

macOS Sandbox

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Basic Information

Start Sandbox

Processes are not born sandboxed on macOS: unlike iOS, where the sandbox is applied by the kernel before the first instruction of a program executes, on macOS a process must elect to place itself into the sandbox.

Processes are automatically Sandboxed from userland when they start if they have the entitlement: com.apple.security.app-sandbox. For a detailed explanation of this process check:

{% content-ref url="macos-sandbox-debug-and-bypass.md" %} macos-sandbox-debug-and-bypass.md {% endcontent-ref %}

Check PID Privileges

According to this, the sandbox_check (it's a __mac_syscall), can check if an operation is allowed or not by the sandbox in a certain PID.

The tool sbtool can check if a PID can perform a certain action:

sbtool <pid> mach #Check mac-ports (got from launchd with an api)
sbtool <pid> file /tmp #Check file access
sbtool <pid> inspect #Gives you an explaination of the sandbox profile
sbtool <pid> all
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥