Member-only story
Sandbox Validator
Building a tool to verify decompiled Sandbox Profiles in C
INTRO
I have published two posts about App Sandbox on macOS. The first one was about compiling the Sandbox Profiles with sandbox_compile_file:
After publishing the article guyru commented on this to check out their SandBlaster fork if I am interested in Sandbox Profiles decompilation:
I looked into the tool and noticed no Sandbox Operation extractor had been implemented. I continued learning about Sandbox, discovered how to achieve this on macOS, and pushed the change to SandBlaster forked repo.
The extraction is simple, and I described it below. I was happy the tool worked for Sonoma, so I did not have to write a decompiler from scratch.
Then, I have published the second article about detecting if a running process is sandboxed with the sandbox_check using PID:
After publishing the article bdash commented it is also possible to use the sandbox_check to check particular operations in the context of a process:
I wondered if it is possible to combine these two things and upgrade SandBlaster with a validator to check the sandbox boundaries of the decompiled profile.
I started googling if somebody created something like this and found a great presentation from Jonathan Levin where he showed his sbtool:
