coyim
Sandboxing
We should investigate seccomp, apparmor and other methods of making sure CoyIM doesn't do anything bad.
Is this issue's goal achieved by https://wiki.gnome.org/Projects/SandboxedApps or is this issue about something simpler?
This seems really convenient, but none of it seems ready at all right now. I think for now, things like seccomp and apparmor are more practical
This TorMessenger ticket has some resources: https://trac.torproject.org/projects/tor/ticket/10943
On Linux, we should just use Gosecco, and reuse the profile file that Subgraph has developed, assuming the kernel supports seccomp.
Are there any sandboxing solutions available for windows or OS X?
Found this http://jbremer.org/intercepting-system-calls-on-x86_64-windows/, will do some investigation
For macOS there's https://developer.apple.com/library/content/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
On macOS, I've run coy (from /tmp/MyApp.app) in a sandbox to trace what the application uses. This is the output of sandbox-simplify on the trace output:
sandbox-simplify /tmp/coy-trace-output.sb
(version 1)
(deny default)
(allow file-ioctl
(literal "/dev/dtracehelper"))
(allow file-read*
(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
(literal "/Users/[username]/.config/coyim/accounts.json")
(literal "/Users/[username]/.purple/accounts.xml")
(literal "/Users/[username]/.purple/blist.xml")
(literal "/Users/[username]/.purple/otr.fingerprints")
(literal "/Users/[username]/.purple/otr.private_key")
(literal "/Users/[username]/.purple/prefs.xml")
(literal "/Users/[username]/Library/Application Support/Adium 2.0/Users/Default/Accounts.plist")
(literal "/Users/[username]/Library/Application Support/Adium 2.0/Users/Default/libpurple/accounts.xml")
(literal "/Users/[username]/Library/Application Support/Adium 2.0/Users/Default/libpurple/blist.xml")
(literal "/Users/[username]/Library/Application Support/Adium 2.0/Users/Default/libpurple/prefs.xml")
(literal "/Users/[username]/Library/Application Support/Adium 2.0/Users/Default/otr.fingerprints")
(literal "/Users/[username]/Library/Application Support/Adium 2.0/Users/Default/otr.private_key")
(literal "/Users/[username]/Library/Input Methods")
(literal "/Users/[username]/Library/Keyboard Layouts")
(literal "/Users/[username]/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist")
(literal "/dev/dtracehelper")
(literal "/dev/null")
(literal "/dev/random")
(literal "/dev/urandom")
(literal "/private/tmp/MyApp.app")
(literal "/private/tmp/MyApp.app/Contents")
(literal "/private/tmp/MyApp.app/Contents/F/im-quartz.so")
(literal "/private/tmp/MyApp.app/Contents/F/libatk-1.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libcairo-gobject.2.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libcairo.2.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libepoxy.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libffi.6.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libfontconfig.1.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libfreetype.6.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgdk-3.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgdk_pixbuf-2.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgio-2.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libglib-2.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgmodule-2.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgobject-2.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgthread-2.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libgtk-3.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libharfbuzz.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libintl.8.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libpango-1.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libpangocairo-1.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libpangoft2-1.0.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libpcre.1.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libpixbufloader-png.so")
(literal "/private/tmp/MyApp.app/Contents/F/libpixman-1.0.dylib")
(literal "/private/tmp/MyApp.app/Contents/F/libpng16.16.dylib")
(literal "/private/tmp/MyApp.app/Contents/Info.plist")
(literal "/private/tmp/MyApp.app/Contents/MacOS")
(literal "/private/tmp/MyApp.app/Contents/MacOS/Coy-bin")
(literal "/private/tmp/MyApp.app/Contents/MacOS/i18n/en_US/LC_MESSAGES/coy.mo")
(literal "/private/tmp/MyApp.app/Contents/Resources")
(literal "/private/tmp/MyApp.app/Contents/Resources/etc/gtk-3.0/gtk.immodules")
(literal "/private/tmp/MyApp.app/Contents/Resources/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/16x16/actions/pan-end-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/16x16/actions/window-close-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/16x16/actions/window-maximize-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/16x16/actions/window-minimize-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/16x16/status/image-missing.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/32x32/actions/pan-end-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/32x32/actions/window-close-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/32x32/actions/window-maximize-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/32x32/actions/window-minimize-symbolic.symbolic.png")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/icon-theme.cache")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/index.theme")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/hicolor/index.theme")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/mime/mime.cache")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/themes/Mac/gtk-3.0/gtk-keys.css")
(literal "/usr/local/Cellar/gettext/0.19.8.1/share/locale/locale.alias")
(literal "/usr/local/Cellar/gtk+3/3.22.2/share/locale/en/LC_MESSAGES/gtk30-properties.mo")
(literal "/usr/local/Cellar/gtk+3/3.22.2/share/locale/en/LC_MESSAGES/gtk30.mo")
(literal "/usr/local/lib/gio/modules")
(literal "/usr/local/lib/gio/modules/giomodule.cache")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/coyim-schema289301376/gschemas\.compiled$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/coyim-schema947375473/gschemas\.compiled$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/Info\.plist$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/MacOS/terminal-notifier$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/Resources$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/Resources/en\.lproj$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/Resources/en\.lproj/InfoPlist\.strings$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/Resources/en\.lproj/MainMenu\.nib$")
(subpath "/System")
(subpath "/usr/share"))
(allow file-read-metadata
(literal "/")
(literal "/Applications/CoyIM.app/Contents/Info.plist")
(literal "/Users/[username]")
(literal "/Users/[username]/.config/coyim")
(literal "/Users/[username]/Library")
(literal "/Users/[username]/Library/Preferences")
(literal "/Users/[username]/Library/Saved Application State")
(literal "/Users/[username]/Library/Saved Application State/im.coy.coyim.savedState")
(literal "/etc")
(literal "/home")
(literal "/net")
(literal "/private")
(literal "/private/etc/localtime")
(literal "/private/tmp")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/Adwaita/8x8/emblems")
(literal "/private/tmp/MyApp.app/Contents/Resources/share/icons/hicolor")
(literal "/private/var")
(literal "/private/var/db/.AppleSetupDone")
(literal "/private/var/folders")
(literal "/private/var/folders/v1")
(literal "/private/var/folders/v1/ttnf970x6hn8f4kd9795lj0r0000gn")
(literal "/tmp")
(literal "/usr/local/Cellar/glib-networking/2.50.0/lib/gio/modules/libgiognomeproxy.so")
(literal "/usr/local/Cellar/glib-networking/2.50.0/lib/gio/modules/libgiognutls.so")
(literal "/usr/local/lib/gio/modules/libgiognomeproxy.so")
(literal "/usr/local/lib/gio/modules/libgiognutls.so")
(literal "/var")
(regex "^/private/var/folders/[^/]+/[^/]+/T$")
(regex "^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3$")
(subpath "/usr/lib"))
(allow file-write*
(literal "/Users/[username]/.config/coyim/accounts.json")
(literal "/Users/[username]/.config/coyim/accounts.json.000~")
(literal "/Users/[username]/Library/Saved Application State/im.coy.coyim.savedState")
(literal "/Users/[username]/Library/Saved Application State/im.coy.coyim.savedState/data.data")
(literal "/Users/[username]/Library/Saved Application State/im.coy.coyim.savedState/windows.plist")
(regex "^/private/var/folders/[^/]+/[^/]+/T/coyim-schema289301376$")
(regex "^/private/var/folders/[^/]+/[^/]+/T/coyim-schema947375473$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/coyim-schema289301376/gschemas\.compiled$")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/coyim-schema947375473/gschemas\.compiled$"))
(allow file-write-data
(literal "/dev/dtracehelper"))
(allow iokit-open
(iokit-user-client-class "IOHIDParamUserClient"))
(allow ipc-posix-shm-read-data
(ipc-posix-name "/tmp/com.apple.csseed.137")
(ipc-posix-name "CFPBS:186A5:")
(ipc-posix-name "apple.shm.cfprefsd.501")
(ipc-posix-name "apple.shm.cfprefsd.daemon")
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.GenRGB"))
(allow ipc-posix-shm-read-metadata
(ipc-posix-name "com.apple.ColorSync.GenRGB"))
(allow ipc-posix-shm-write-data
(ipc-posix-name "CFPBS:186A5:")
(ipc-posix-name "com.apple.ColorSync.Gen.lock"))
(allow mach-lookup
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.FontServer")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.coreservices.appleevents")
(global-name "com.apple.coreservices.launchservicesd")
(global-name "com.apple.coreservices.quarantine-resolver")
(global-name "com.apple.cvmsServ")
(global-name "com.apple.distributed_notifications@Uv3")
(global-name "com.apple.dock.server")
(global-name "com.apple.pasteboard.1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.opendirectoryd.libinfo")
(global-name "com.apple.system.opendirectoryd.membership")
(global-name "com.apple.tsm.uiserver")
(global-name "com.apple.usernoted.client")
(global-name "com.apple.window_proxies")
(global-name "com.apple.windowserver.active"))
(allow mach-register
(local-name "com.apple.CFPasteboardClient")
(local-name "com.apple.axserver")
(local-name "com.apple.coredrag")
(local-name "com.apple.tsm.portname"))
(allow network-inbound
(local tcp "*:*")
(local tcp "localhost:*"))
(allow network-outbound
(remote tcp "localhost:9050"))
(allow process-exec*
(literal "/private/tmp/MyApp.app/Contents/MacOS/Coy-bin")
(regex #"^/private/var/folders/[^/]+/[^/]+/T/gosxnotifier/terminal-notifier-1\.6\.3/terminal-notifier\.app/Contents/MacOS/terminal-notifier$"))
(allow process-fork)
(allow sysctl-read
(sysctl-name "hw.activecpu")
(sysctl-name "hw.busfrequency_max")
(sysctl-name "hw.cachelinesize")
(sysctl-name "hw.cpufrequency_max")
(sysctl-name "hw.l3cachesize")
(sysctl-name "hw.logicalcpu_max")
(sysctl-name "hw.memsize")
(sysctl-name "hw.ncpu")
(sysctl-name "hw.pagesize_compat")
(sysctl-name "hw.physicalcpu_max")
(sysctl-name "kern.hostname")
(sysctl-name "kern.ipc.somaxconn")
(sysctl-name "kern.osrelease")
(sysctl-name "kern.proc.pid.52071")
(sysctl-name "kern.proc.pid.52109")
(sysctl-name "kern.proc.pid.52162")
(sysctl-name "kern.safeboot")
(sysctl-name "kern.usrstack64")
(sysctl-name "machdep.cpu.brand_string")
(sysctl-name "sysctl.name2oid"))
We could start by reviewing this and starting to using it in the mac bundle.
Nice! So, this sandboxing tool is primarily for files, not for syscalls and so on, is that correct?
It does not seem to provide this level of control, it provides control over file access, IPC, networking, process handling and system environment.
Look at this: https://www.romab.com/ironsuite/SBPL.html
I see #429 is already linked and I agree that for linux we should focus on flatpak (or AppImage) which already sandbox the contained app (see i.e. https://github.com/flatpak/flatpak/wiki/Sandbox).
Flatpak definitely has a bunch of useful stuff, and from specifically a sandboxing, it also seems to do a lot. However, on the negative side, some of the things it provides are very coarse grained - like network permissions. DConf access seems a bit hacky, and there are some other things that seem problematic too. The biggest problem for me seems to be that it would require us to rewire the whole build process and have it very separate - something that would be highly annoying, since our current build process works well on other platforms too.
i discourage you to use flatpak and similar projects, they are just disaster for now.
But good news are:
- Debian Buster Added Apparmor by default, so hope to see CoyIM profile added.
- Firejail/seccomp now shipping profiles for various applications, hope to see CoyIM profile to be added.
Firejail look interesting, while not much updated. But for coyim, an appimage can be very great to have. Any plan to have one to get a full compatibility ?
