1

I want to use a chroot approach when building executables in MacOS, for having great control of the files and libraries they use. Ideally maybe chroot would be enough (and it is available in MacOS), but, first of all I think it requires the user to be root when running it, and second, I looked at the functionality offered by fakechroot and it looks more interesting than chroot for my purposes (however, fakechroot is not ported to MacOS).

In particular, fakechroot looks like the way I want to follow, because it replaces functions such as open() and by replacing open() I could have a great degree of control on the "virtual environment" that I create for the executables. For example, instead of copying required system libs in the chroot tree, my patched open() could provide access to only the libraries I wish the executable to use.

Is there something like this already available for MacOS? Or do I need to write it myself?

cesss
  • 318
  • 1
  • 8
  • Did you ever find a solution to this? I'm wondering if such a tool exists as well, and the current answer by thrig to use App Sandbox does not work for me. – EriC Feb 15 '22 at 21:59

1 Answers1

3

App Sandbox is perhaps more suitable than trying to port third-party code, as it operates in the kernel and is supported by Apple; quoting from the link:

By limiting access to sensitive resources on a per-app basis, App Sandbox provides a last line of defense against the theft, corruption, or deletion of user data, or the hijacking of system hardware, if an attacker successfully exploits security holes in your app. For example, a sandboxed app must explicitly state its intent to use any of the following resources using entitlements:

...

On the other hand, a sandboxed app has access to the specific resources you request, allows users to expand the sandbox by performing typical actions in the usual way (such as drag and drop), and can automatically perform many additional actions deemed safe ...

thrig
  • 34,333
  • 3
  • 63
  • 84
  • Are you sure you can limit filesystem read access with `App Sandbox` ? Searching the docs I find settings for disabling write access, but not read access (and I need to disable read access, in order to force the use of only the desired set of dynamic libraries) – cesss Jan 18 '18 at 17:43
  • what docs were you reading? "App Sandbox Design Guide" talks about various filesystem access knobs, and "Entitlement Key Reference" shows various settings that can go into the entitlements, and a quick trip through the Xcode tutorial shows "read" vs. "r/w" vs. "write-only" options for various filesystem entitlements. – thrig Jan 18 '18 at 18:35
  • That document says that _"In addition, the system automatically permits a sandboxed app to: [...] Read files that are world readable, in certain directories, including the following directories: /bin /sbin /usr/bin /usr/lib..."_ and those are precisely the directories whose access I want to limit. I have the impression that **App Sandbox** has the opposite goal than the solution I need: I want isolation from the system directories while not caring about non-system directories. And **App Sandbox** is the opposite: isolation from non-system directories, while not caring about system directories – cesss Jan 19 '18 at 08:43