Member-only story
App Sandbox startup
How and when the process is Sandboxed on macOS
INTRO
This article will introduce how the Sandbox is enforced on the app. The main point is to show what is necessary for the sandbox to be enforced on the app on launch, which system component uses it, and where it is used during the execution flow. Below, we can see a high-level overview of that:
Both of the above-shown ways end up with a call to Sandbox Kernel Extension that initializes Sandbox on the app process. We will start by analyzing the default (proper) way, where the sandbox entitlement exists.
The entitlement way
The extension is invoked by libsystem_secinit.dylib. We can find the _libsecinit_appsandbox by listing all symbols with sandbox in the name:
To get the stack trace of where exactly this function is spawned from, we can load the sandboxed app under lldb, make a breakpoint on it, and run:
# lldb test.app
br set -n _libsecinit_appsandbox
rAs we can see, the function _libsecinit_appsandbox is executed during the early loading of libsystem_secinit by the Dyld in the prepare() function.
I wrote about Dyld in the series below. The prepare() is described in XI part.
When we try to do the same with the unsandboxed app (without the com.apple.security.app-sandbox), we could not hit this breakpoint:
