Document macOS sandbox security implications and __darwinAllowLocalNetworking #11488
Conversation
Split the larger paragraph above so OS-specific bits are in separate paragraphs. No changes to the split out text (just reformatting lines).
See e.g. discussion in NixOS#11270
| The macOS sandbox has known limitations, and should not be | ||
| considered a strong security boundary. |
There was a problem hiding this comment.
To be honest I think this applies to the Linux one too. (The recent sandbox escape vulnerability worked on Linux but not macOS, even.)
There was a problem hiding this comment.
I think the difference is in what we strive for. We know the macOS sandbox is deficient today, and has known sandbox escape vectors. But fixing them is either extremely difficult or impossible due to OS API limitations. Compared to Linux where we give it a CVE and (I think) generally expect to be able to fix it and do so with some urgency.
Nevertheless, I do think it is important to clarify the project’s stance on whether the Linux sandbox should be and is generally believed to be (barring unknown bugs) a security boundary.
There was a problem hiding this comment.
I guess it depends on what you consider an escape. Information exfiltration or communication with a cooperating process outside the sandbox, yeah, but I don’t think there’s a known way to escalate out of the macOS sandbox to increase privileges?
There was a problem hiding this comment.
I think that’s true.
However, part of my concern with the macOS sandbox in particular is that there are, afaik, zero tests for it (whereas the Linux sandbox has at least some). The macOS sandbox APIs provided by the OS are also notoriously under-documented, so what we think is okay today might not be with a future update or OS version—and there’s no tests to assure that. That outbound network requests were inadvertently allowed for so long is a big canary. So I think that, compared to the Linux sandbox, we shouldn’t “guarantee” so much.
There was a problem hiding this comment.
Could we link to the .sb file that sandbox-exe uses on macOS?
I believe it's one of these.
https://github.com/NixOS/nix/blob/master/src/libstore/unix/build/sandbox-defaults.sb
https://github.com/NixOS/nix/blob/master/src/libstore/unix/build/sandbox-minimal.sb
https://github.com/NixOS/nix/blob/master/src/libstore/unix/build/sandbox-network.sb
|
@bryanhonof We could, but if we do so, should we not also for the Linux sandbox rules in some way? I’m curious as well what the goal of linking to it would be. Logistically, I’m also not sure how to link to them, we would need to link to the actual rules used, I think, so it cannot be a URL. |
Motivation
These things are undocumented, that seems bad.
Context
Some discussion in #11269 and #11270
I couldn’t find any better place to put this. I didn’t put it in the manual as there are currently no references (other than release notes) to the sandbox (but perhaps there should be!).
Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.