MacOS Sandboxing (#5)

* Update macos-sandbox.sb to beta * Update README.md * Added audio support * update sandbox readme to reflect new changes * (hopefully) final sandbox profile ver * Create patcher.py * Move docs/sandboxing/macos-sandbox.sb to docs/sandboxing/macos/macos-sandbox.sb * Update README.md for patcher.py * Create prism-sandbox.sb * Create README.md for launchers * Update launcher readme with reminder * eliminate the need for patcher.py * Delete patcher.py * Update README.md to remove patcher.py * Update prism-sandbox.sb to not use patcher.py * Update README.md * Update macos-sandbox.sb * prevent jdk fuckery
Minecraft-Malware-Prevention-Alliance · Jun 14, 2023 · 93f2d49 · 93f2d49
1 parent cba9226
commit 93f2d49
Show file tree

Hide file tree

Showing 5 changed files with 298 additions and 66 deletions.
diff --git a/docs/sandboxing/README.md b/docs/sandboxing/README.md
@@ -8,13 +8,17 @@ Sandboxing is a concept where we try to sandbox mods from the users host system
 
 There is no clear solution to this yet, but it should take heavy inspiration from [The Chromium Windows Sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Sandbox-Windows-architecture)
 
-### MacOS
+### Linux
+
+We could use something like flatpak here, though its unlikely, the current most likely solution is to use linux namespaces to work like a docker-like system.
+
+This is mainly solved other then implementation details
 
-*From [RayAar/minecraft-macos-sandboxing, this repo has now moved to this document](https://github.com/RayBytes/minecraft-macos-sandboxing)*
+### MacOS
 
-*Documentation in progress*
+*Implementation by Game_Time from [minecraft-macos-sandboxing, this repo has now been moved to this document](https://github.com/RayBytes/minecraft-macos-sandboxing)*
 
-The idea for MacOS sandboxing is to completely sandbox Minecraft. This will disable minecraft from accessing any harmful data which it could gain access to. We used apple's sandbox-exec and created a profile for it. The profile will* only give access to files which minecraft needs to run.
+The idea for MacOS sandboxing is to completely sandbox Minecraft. This will disable minecraft from accessing any harmful data which it could gain access to. We used apple's sandbox-exec and created a profile for it. The profile will only give access to files which minecraft needs to run.
 
 #### How does it work?
 
@@ -25,16 +29,13 @@ It uses MacOS's inbuilt `sandbox-exec` command to work, as sandbox-exec is a ful
 Run the command:
 `sandbox-exec -f Path/To/The/Sandbox/Profile/minecraft-sandbox.sb /Applications/Minecraft.app/Contents/MacOS/launcher`
 
-*Note: This project is still in development and may not function as it should, some extra files may still be given access to Minecraft which will be removed in future versions. Be vary of this before using this project.*
+*Note: This project is now in beta testing, and may be used on clients properly. Report any bugs in the [discord](https://discord.gg/zPdFK47682)*
 
 #### Sandbox Profile
 
-See [macos-sandboxing.sb](./macos-sandbox.sb)
-
-
-### Linux
+See [macos-sandboxing.sb](./macos/macos-sandbox.sb)
 
-We could use something like flatpak here, though its unlikely, the current most likely solution is to use linux namespaces to work like a docker-like system.
+# Notice
 
-This is mainly solved other then implementation details
+For other launchers, check out the launchers directory.
 
diff --git a/docs/sandboxing/macos-sandbox.sb b/docs/sandboxing/macos-sandbox.sb
diff --git a/docs/sandboxing/macos/launchers/README.md b/docs/sandboxing/macos/launchers/README.md
@@ -0,0 +1,8 @@
+# Launchers
+
+To use a launcher profile you will need to select its profile and run the sandbox profile command. 
+Here are the commands for the below current supported launchers
+
+# Prism Launcher
+
+`sandbox-exec -f /Path/To/Sandbox/minecraft-sandbox.sb /Applications/Prism\ Launcher.app/Contents/MacOS/prismlauncher`
diff --git a/docs/sandboxing/macos/launchers/prism-sandbox.sb b/docs/sandboxing/macos/launchers/prism-sandbox.sb
@@ -0,0 +1,142 @@
+
+
+(version 1)
+(deny default)
+(allow process-exec)
+(allow process-fork)
+(allow sysctl-read)
+(allow file-read-metadata)
+(allow network*)
+(allow mach*)
+(allow iokit*)
+(allow lsopen)
+(import "/System/Library/Sandbox/Profiles/bsd.sb")
+
+
+; Allow read and write access to Minecraft application files
+(allow file-read* file-write*
+  (regex #"^/Users/[^.]+/Library/Application Support/minecraft/*")
+  (subpath "/Applications/Minecraft.app/")
+  (subpath "/Applications/Minecraft.app/Contents/MacOS/launcher")
+  (regex "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState/*")
+  (subpath "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState")
+
+; Changes for Prism Launcher
+  (regex #"^/Users/[^.]+/Library/Application Support/PrismLauncher/*")
+  (subpath "/Applications/Prism Launcher.app/")
+  (subpath "/Applications/Prism Launcher.app/Contents/MacOS/launcher")
+)
+
+
+; Some other random minecraft stuff
+(allow file-issue-extension 
+  (extension-class "com.apple.app-sandbox.read") 
+  (regex #"^/Users/[^.]+/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper.app")
+)
+
+; no idea 
+(allow file-read-data
+  (subpath "/private/etc/hosts")
+)
+
+; Access to the computer user data 
+(allow mach-lookup 
+    (global-name "com.apple.biome.compute.source.user")
+)
+
+; Allow access to user inpt data & crash reporter / security plist
+(allow file-read-data
+  (regex #"^/Users/[^.]+/Library/Spelling")
+  (regex #"^/Users/[^.]+/Library/Input Methods")
+  (regex #"^/Users/[^.]+/Library/Keyboard Layouts")
+
+  (subpath "/Library/Preferences/com.apple.security.plist")
+  (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
+)
+
+; Domains which minecraft needs access to, including graphics, recogition and security
+(allow user-preference-read 
+  (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs")
+  (preference-domain "com.apple.HIToolbox")
+  (preference-domain "com.apple.CoreGraphics")
+  (preference-domain "com.apple.universalaccess")
+  (preference-domain "com.apple.security")
+  (preference-domain "pbs")
+)
+
+; Allow read and write access to neccesary system files
+(allow file-read* file-write*
+  (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/")
+  (regex #"^/Users/[^.]+/Library/Fonts/")
+  (subpath "/private/var/folders/")
+  (regex "^/Library/Java/JavaVirtualMachines/jdk\w*")
+  (regex #"^/Users/[^.]+/Library/Saved Application State/net\.java\w*")
+  (regex "/Library/Keychains/*")
+  (subpath "/private/var/db/mds/")
+)         
+
+
+; Give access to the tccd app bundle
+(allow mach-lookup (global-name "com.apple.tccd.systempolicy.appbundles"))
+
+; Diagnostic Message history access and security accesss
+(allow file-read-data 
+  (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
+  (subpath "/private/var/db/searchparty/sharedVault/agents/78BFBE72-7C54-4571-8D1B-5F58D809AA3B/savedConfiguration.plist")
+  (subpath "/Library/Preferences/com.apple.networkd.plist")
+  (subpath "/private/var/db/searchparty/sharedVault/BeaconPayloadCache/")
+  (regex #"^/Users/[^.]+/Library/Preferences/com.apple.security.plist")
+)
+
+; literally no idea bro
+(allow file-read-data file-write-unlink
+  (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/")
+)           
+
+; Allow access to Rosetta runtime
+(allow file-read*
+  (subpath "/Library/Apple/usr/libexec/oah/libRosettaRuntime")
+)
+
+; Allow access to specific system frameworks and libraries
+(allow file-read*
+  (subpath "/System/Library/Frameworks/OpenGL.framework")
+  (subpath "/System/Library/Frameworks/CoreAudio.framework")
+  (subpath "/System/Library/Frameworks/CoreMedia.framework")
+  (subpath "/System/Library/PrivateFrameworks/GameKitServices.framework")
+)
+
+; Allow access to other random stuff it needs
+(allow file-read* 
+  (subpath "/Library/Preferences/com.apple.ViewBridge.plist")
+)
+
+; Mojang preference domain access
+(allow user-preference-write
+  (preference-domain "com.mojang.mclauncher")
+  (preference-domain "com.mojang.mclauncher.helper.renderer")
+  (preference-domain "com.mojang.minecraftlauncher")
+)
+
+; More mojang preference domain access 
+(allow user-preference-read
+  (preference-domain "com.mojang.mclauncher.helper.renderer")
+  (preference-domain "com.mojang.minecraftlauncher")
+  (preference-domain "com.mojang.mclauncher")
+  (preference-domain "kCFPreferencesAnyApplication")
+)
+
+; All below is the audio access
+
+(allow ipc-posix-shm-read* ipc-posix-shm-write-data
+  (ipc-posix-name-regex #"^AudioIO"))
+
+(allow mach-lookup
+  (global-name "com.apple.audio.coreaudiod")
+  (global-name "com.apple.audio.audiohald"))
+
+(allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient"))
+
+(allow file-read* (subpath "/Library/Audio/Plug-Ins"))
+
+(allow device-microphone)
diff --git a/docs/sandboxing/macos/macos-sandbox.sb b/docs/sandboxing/macos/macos-sandbox.sb
@@ -0,0 +1,136 @@
+(version 1)
+(deny default)
+(allow process-exec)
+(allow process-fork)
+(allow sysctl-read)
+(allow file-read-metadata)
+(allow network*)
+(allow mach*)
+(allow iokit*)
+(allow lsopen)
+(import "/System/Library/Sandbox/Profiles/bsd.sb")
+
+
+; Allow read and write access to Minecraft application files
+(allow file-read* file-write*
+  (regex #"^/Users/[^.]+/Library/Application Support/minecraft/*")
+  (subpath "/Applications/Minecraft.app/")
+  (subpath "/Applications/Minecraft.app/Contents/MacOS/launcher")
+  (regex "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState/*")
+  (subpath "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState")
+)
+
+
+; Some other random minecraft stuff
+(allow file-issue-extension 
+  (extension-class "com.apple.app-sandbox.read") 
+  (regex #"^/Users/[^.]+/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper.app")
+)
+
+; no idea what hosts is, access to java for possible custom jdk 
+(allow file-read-data
+  (subpath "/Library/Java/JavaVirtualMachines/")
+  (subpath "/private/etc/hosts")
+  (regex #"^/Users/[^.]+/Library/Saved Application State/net\.java\w*")
+)
+
+; Access to the computer user data 
+(allow mach-lookup 
+    (global-name "com.apple.biome.compute.source.user")
+)
+
+; Allow access to user inpt data & crash reporter / security plist
+(allow file-read-data
+  (regex #"^/Users/[^.]+/Library/Spelling")
+  (regex #"^/Users/[^.]+/Library/Input Methods")
+  (regex #"^/Users/[^.]+/Library/Keyboard Layouts")
+
+  (subpath "/Library/Preferences/com.apple.security.plist")
+  (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
+)
+
+; Domains which minecraft needs access to, including graphics, recogition and security
+(allow user-preference-read 
+  (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs")
+  (preference-domain "com.apple.HIToolbox")
+  (preference-domain "com.apple.CoreGraphics")
+  (preference-domain "com.apple.universalaccess")
+  (preference-domain "com.apple.security")
+  (preference-domain "pbs")
+)
+
+; Allow read and write access to neccesary system files
+(allow file-read* file-write*
+  (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/")
+  (regex #"^/Users/[^.]+/Library/Fonts/")
+  (subpath "/private/var/folders/")
+  (regex "/Library/Keychains/*")
+  (subpath "/private/var/db/mds/")
+
+)         
+
+
+; Give access to the tccd app bundle
+(allow mach-lookup (global-name "com.apple.tccd.systempolicy.appbundles"))
+
+; Diagnostic Message history access and security accesss
+(allow file-read-data 
+  (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
+  (subpath "/private/var/db/searchparty/sharedVault/agents/78BFBE72-7C54-4571-8D1B-5F58D809AA3B/savedConfiguration.plist")
+  (subpath "/Library/Preferences/com.apple.networkd.plist")
+  (subpath "/private/var/db/searchparty/sharedVault/BeaconPayloadCache/")
+  (regex #"^/Users/[^.]+/Library/Preferences/com.apple.security.plist")
+)
+
+; literally no idea bro
+(allow file-read-data file-write-unlink
+  (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/")
+)           
+
+; Allow access to Rosetta runtime
+(allow file-read*
+  (subpath "/Library/Apple/usr/libexec/oah/libRosettaRuntime")
+)
+
+; Allow access to specific system frameworks and libraries
+(allow file-read*
+  (subpath "/System/Library/Frameworks/OpenGL.framework")
+  (subpath "/System/Library/Frameworks/CoreAudio.framework")
+  (subpath "/System/Library/Frameworks/CoreMedia.framework")
+  (subpath "/System/Library/PrivateFrameworks/GameKitServices.framework")
+)
+
+; Allow access to other random stuff it needs
+(allow file-read* 
+  (subpath "/Library/Preferences/com.apple.ViewBridge.plist")
+)
+
+; Mojang preference domain access
+(allow user-preference-write
+  (preference-domain "com.mojang.mclauncher")
+  (preference-domain "com.mojang.mclauncher.helper.renderer")
+  (preference-domain "com.mojang.minecraftlauncher")
+)
+
+; More mojang preference domain access 
+(allow user-preference-read
+  (preference-domain "com.mojang.mclauncher.helper.renderer")
+  (preference-domain "com.mojang.minecraftlauncher")
+  (preference-domain "com.mojang.mclauncher")
+  (preference-domain "kCFPreferencesAnyApplication")
+)
+
+; All below is the audio access
+
+(allow ipc-posix-shm-read* ipc-posix-shm-write-data
+  (ipc-posix-name-regex #"^AudioIO"))
+
+(allow mach-lookup
+  (global-name "com.apple.audio.coreaudiod")
+  (global-name "com.apple.audio.audiohald"))
+
+(allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient"))
+
+(allow file-read* (subpath "/Library/Audio/Plug-Ins"))
+
+(allow device-microphone)