From 93f2d4996b80a94dfc7b35e83fef52be044bceed Mon Sep 17 00:00:00 2001 From: Game_Time <108236317+RayBytes@users.noreply.github.com> Date: Wed, 14 Jun 2023 21:24:54 +0500 Subject: [PATCH] MacOS Sandboxing (#5) * Update macos-sandbox.sb to beta * Update README.md * Added audio support * update sandbox readme to reflect new changes * (hopefully) final sandbox profile ver * Create patcher.py * Move docs/sandboxing/macos-sandbox.sb to docs/sandboxing/macos/macos-sandbox.sb * Update README.md for patcher.py * Create prism-sandbox.sb * Create README.md for launchers * Update launcher readme with reminder * eliminate the need for patcher.py * Delete patcher.py * Update README.md to remove patcher.py * Update prism-sandbox.sb to not use patcher.py * Update README.md * Update macos-sandbox.sb * prevent jdk fuckery --- docs/sandboxing/README.md | 23 +-- docs/sandboxing/macos-sandbox.sb | 55 ------- docs/sandboxing/macos/launchers/README.md | 8 + .../macos/launchers/prism-sandbox.sb | 142 ++++++++++++++++++ docs/sandboxing/macos/macos-sandbox.sb | 136 +++++++++++++++++ 5 files changed, 298 insertions(+), 66 deletions(-) delete mode 100644 docs/sandboxing/macos-sandbox.sb create mode 100644 docs/sandboxing/macos/launchers/README.md create mode 100644 docs/sandboxing/macos/launchers/prism-sandbox.sb create mode 100644 docs/sandboxing/macos/macos-sandbox.sb diff --git a/docs/sandboxing/README.md b/docs/sandboxing/README.md index 8beed3f..f4cad59 100644 --- a/docs/sandboxing/README.md +++ b/docs/sandboxing/README.md @@ -8,13 +8,17 @@ Sandboxing is a concept where we try to sandbox mods from the users host system There is no clear solution to this yet, but it should take heavy inspiration from [The Chromium Windows Sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Sandbox-Windows-architecture) -### MacOS +### Linux + +We could use something like flatpak here, though its unlikely, the current most likely solution is to use linux namespaces to work like a docker-like system. + +This is mainly solved other then implementation details -*From [RayAar/minecraft-macos-sandboxing, this repo has now moved to this document](https://github.com/RayBytes/minecraft-macos-sandboxing)* +### MacOS -*Documentation in progress* +*Implementation by Game_Time from [minecraft-macos-sandboxing, this repo has now been moved to this document](https://github.com/RayBytes/minecraft-macos-sandboxing)* -The idea for MacOS sandboxing is to completely sandbox Minecraft. This will disable minecraft from accessing any harmful data which it could gain access to. We used apple's sandbox-exec and created a profile for it. The profile will* only give access to files which minecraft needs to run. +The idea for MacOS sandboxing is to completely sandbox Minecraft. This will disable minecraft from accessing any harmful data which it could gain access to. We used apple's sandbox-exec and created a profile for it. The profile will only give access to files which minecraft needs to run. #### How does it work? @@ -25,16 +29,13 @@ It uses MacOS's inbuilt `sandbox-exec` command to work, as sandbox-exec is a ful Run the command: `sandbox-exec -f Path/To/The/Sandbox/Profile/minecraft-sandbox.sb /Applications/Minecraft.app/Contents/MacOS/launcher` -*Note: This project is still in development and may not function as it should, some extra files may still be given access to Minecraft which will be removed in future versions. Be vary of this before using this project.* +*Note: This project is now in beta testing, and may be used on clients properly. Report any bugs in the [discord](https://discord.gg/zPdFK47682)* #### Sandbox Profile -See [macos-sandboxing.sb](./macos-sandbox.sb) - - -### Linux +See [macos-sandboxing.sb](./macos/macos-sandbox.sb) -We could use something like flatpak here, though its unlikely, the current most likely solution is to use linux namespaces to work like a docker-like system. +# Notice -This is mainly solved other then implementation details +For other launchers, check out the launchers directory. diff --git a/docs/sandboxing/macos-sandbox.sb b/docs/sandboxing/macos-sandbox.sb deleted file mode 100644 index ccfba0c..0000000 --- a/docs/sandboxing/macos-sandbox.sb +++ /dev/null @@ -1,55 +0,0 @@ -(version 1) -(deny default) -(allow process-exec) -(allow process-fork) -(allow sysctl-read) -(allow file-read-metadata) -(allow network*) -(allow mach*) -(allow iokit*) -(allow lsopen) -(import "/System/Library/Sandbox/Profiles/bsd.sb") - - -; Allow read and write access to Minecraft application files -(allow file-read* file-write* - (subpath "/Applications/Minecraft.app/") - (subpath "/Applications/Minecraft.app/Contents/MacOS/launcher") - (regex "/Library/Keychains/*") - (subpath "/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper.app") -) - -(allow mach-lookup (global-name "com.apple.biome.compute.source.user")) - -; Read-write access to Minecraft Game files -(allow file-read* file-write* - (regex "/Library/Application Support/minecraft/*") -) - -; Allow access to minecraft's sandboxed data -(allow file-read* file-write* - (subpath "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState/") -) - -; Allow read and write access to temporary system files -(allow file-read* file-write* - (subpath "/private/var/") - (subpath "/private/tmp/")) - -; Allow access to Rosetta runtime -(allow file-read* - (subpath "/Library/Apple/usr/libexec/oah/libRosettaRuntime") -) - -; Allow access to specific system frameworks and libraries -(allow file-read* - (subpath "/System/Library/Frameworks/OpenGL.framework") - (subpath "/System/Library/Frameworks/CoreAudio.framework") - (subpath "/System/Library/Frameworks/CoreMedia.framework") - (subpath "/System/Library/PrivateFrameworks/GameKitServices.framework") -) - -; Allow access to other random stuff it needs -(allow file-read* - (subpath "/Library/Preferences/com.apple.ViewBridge.plist") -) \ No newline at end of file diff --git a/docs/sandboxing/macos/launchers/README.md b/docs/sandboxing/macos/launchers/README.md new file mode 100644 index 0000000..6953e2a --- /dev/null +++ b/docs/sandboxing/macos/launchers/README.md @@ -0,0 +1,8 @@ +# Launchers + +To use a launcher profile you will need to select its profile and run the sandbox profile command. +Here are the commands for the below current supported launchers + +# Prism Launcher + +`sandbox-exec -f /Path/To/Sandbox/minecraft-sandbox.sb /Applications/Prism\ Launcher.app/Contents/MacOS/prismlauncher` diff --git a/docs/sandboxing/macos/launchers/prism-sandbox.sb b/docs/sandboxing/macos/launchers/prism-sandbox.sb new file mode 100644 index 0000000..82f51d2 --- /dev/null +++ b/docs/sandboxing/macos/launchers/prism-sandbox.sb @@ -0,0 +1,142 @@ + + +(version 1) +(deny default) +(allow process-exec) +(allow process-fork) +(allow sysctl-read) +(allow file-read-metadata) +(allow network*) +(allow mach*) +(allow iokit*) +(allow lsopen) +(import "/System/Library/Sandbox/Profiles/bsd.sb") + + +; Allow read and write access to Minecraft application files +(allow file-read* file-write* + (regex #"^/Users/[^.]+/Library/Application Support/minecraft/*") + (subpath "/Applications/Minecraft.app/") + (subpath "/Applications/Minecraft.app/Contents/MacOS/launcher") + (regex "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState/*") + (subpath "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState") + +; Changes for Prism Launcher + (regex #"^/Users/[^.]+/Library/Application Support/PrismLauncher/*") + (subpath "/Applications/Prism Launcher.app/") + (subpath "/Applications/Prism Launcher.app/Contents/MacOS/launcher") +) + + +; Some other random minecraft stuff +(allow file-issue-extension + (extension-class "com.apple.app-sandbox.read") + (regex #"^/Users/[^.]+/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper.app") +) + +; no idea +(allow file-read-data + (subpath "/private/etc/hosts") +) + +; Access to the computer user data +(allow mach-lookup + (global-name "com.apple.biome.compute.source.user") +) + +; Allow access to user inpt data & crash reporter / security plist +(allow file-read-data + (regex #"^/Users/[^.]+/Library/Spelling") + (regex #"^/Users/[^.]+/Library/Input Methods") + (regex #"^/Users/[^.]+/Library/Keyboard Layouts") + + (subpath "/Library/Preferences/com.apple.security.plist") + (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist") +) + +; Domains which minecraft needs access to, including graphics, recogition and security +(allow user-preference-read + (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs") + (preference-domain "com.apple.HIToolbox") + (preference-domain "com.apple.CoreGraphics") + (preference-domain "com.apple.universalaccess") + (preference-domain "com.apple.security") + (preference-domain "pbs") +) + +; Allow read and write access to neccesary system files +(allow file-read* file-write* + (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/") + (regex #"^/Users/[^.]+/Library/Fonts/") + (subpath "/private/var/folders/") + (regex "^/Library/Java/JavaVirtualMachines/jdk\w*") + (regex #"^/Users/[^.]+/Library/Saved Application State/net\.java\w*") + (regex "/Library/Keychains/*") + (subpath "/private/var/db/mds/") +) + + +; Give access to the tccd app bundle +(allow mach-lookup (global-name "com.apple.tccd.systempolicy.appbundles")) + +; Diagnostic Message history access and security accesss +(allow file-read-data + (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist") + (subpath "/private/var/db/searchparty/sharedVault/agents/78BFBE72-7C54-4571-8D1B-5F58D809AA3B/savedConfiguration.plist") + (subpath "/Library/Preferences/com.apple.networkd.plist") + (subpath "/private/var/db/searchparty/sharedVault/BeaconPayloadCache/") + (regex #"^/Users/[^.]+/Library/Preferences/com.apple.security.plist") +) + +; literally no idea bro +(allow file-read-data file-write-unlink + (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/") +) + +; Allow access to Rosetta runtime +(allow file-read* + (subpath "/Library/Apple/usr/libexec/oah/libRosettaRuntime") +) + +; Allow access to specific system frameworks and libraries +(allow file-read* + (subpath "/System/Library/Frameworks/OpenGL.framework") + (subpath "/System/Library/Frameworks/CoreAudio.framework") + (subpath "/System/Library/Frameworks/CoreMedia.framework") + (subpath "/System/Library/PrivateFrameworks/GameKitServices.framework") +) + +; Allow access to other random stuff it needs +(allow file-read* + (subpath "/Library/Preferences/com.apple.ViewBridge.plist") +) + +; Mojang preference domain access +(allow user-preference-write + (preference-domain "com.mojang.mclauncher") + (preference-domain "com.mojang.mclauncher.helper.renderer") + (preference-domain "com.mojang.minecraftlauncher") +) + +; More mojang preference domain access +(allow user-preference-read + (preference-domain "com.mojang.mclauncher.helper.renderer") + (preference-domain "com.mojang.minecraftlauncher") + (preference-domain "com.mojang.mclauncher") + (preference-domain "kCFPreferencesAnyApplication") +) + +; All below is the audio access + +(allow ipc-posix-shm-read* ipc-posix-shm-write-data + (ipc-posix-name-regex #"^AudioIO")) + +(allow mach-lookup + (global-name "com.apple.audio.coreaudiod") + (global-name "com.apple.audio.audiohald")) + +(allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient")) + +(allow file-read* (subpath "/Library/Audio/Plug-Ins")) + +(allow device-microphone) diff --git a/docs/sandboxing/macos/macos-sandbox.sb b/docs/sandboxing/macos/macos-sandbox.sb new file mode 100644 index 0000000..ed8dc9e --- /dev/null +++ b/docs/sandboxing/macos/macos-sandbox.sb @@ -0,0 +1,136 @@ +(version 1) +(deny default) +(allow process-exec) +(allow process-fork) +(allow sysctl-read) +(allow file-read-metadata) +(allow network*) +(allow mach*) +(allow iokit*) +(allow lsopen) +(import "/System/Library/Sandbox/Profiles/bsd.sb") + + +; Allow read and write access to Minecraft application files +(allow file-read* file-write* + (regex #"^/Users/[^.]+/Library/Application Support/minecraft/*") + (subpath "/Applications/Minecraft.app/") + (subpath "/Applications/Minecraft.app/Contents/MacOS/launcher") + (regex "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState/*") + (subpath "/Library/Saved Application State/com.mojang.minecraftlauncher.savedState") +) + + +; Some other random minecraft stuff +(allow file-issue-extension + (extension-class "com.apple.app-sandbox.read") + (regex #"^/Users/[^.]+/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper.app") +) + +; no idea what hosts is, access to java for possible custom jdk +(allow file-read-data + (subpath "/Library/Java/JavaVirtualMachines/") + (subpath "/private/etc/hosts") + (regex #"^/Users/[^.]+/Library/Saved Application State/net\.java\w*") +) + +; Access to the computer user data +(allow mach-lookup + (global-name "com.apple.biome.compute.source.user") +) + +; Allow access to user inpt data & crash reporter / security plist +(allow file-read-data + (regex #"^/Users/[^.]+/Library/Spelling") + (regex #"^/Users/[^.]+/Library/Input Methods") + (regex #"^/Users/[^.]+/Library/Keyboard Layouts") + + (subpath "/Library/Preferences/com.apple.security.plist") + (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist") +) + +; Domains which minecraft needs access to, including graphics, recogition and security +(allow user-preference-read + (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs") + (preference-domain "com.apple.HIToolbox") + (preference-domain "com.apple.CoreGraphics") + (preference-domain "com.apple.universalaccess") + (preference-domain "com.apple.security") + (preference-domain "pbs") +) + +; Allow read and write access to neccesary system files +(allow file-read* file-write* + (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/") + (regex #"^/Users/[^.]+/Library/Fonts/") + (subpath "/private/var/folders/") + (regex "/Library/Keychains/*") + (subpath "/private/var/db/mds/") + +) + + +; Give access to the tccd app bundle +(allow mach-lookup (global-name "com.apple.tccd.systempolicy.appbundles")) + +; Diagnostic Message history access and security accesss +(allow file-read-data + (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist") + (subpath "/private/var/db/searchparty/sharedVault/agents/78BFBE72-7C54-4571-8D1B-5F58D809AA3B/savedConfiguration.plist") + (subpath "/Library/Preferences/com.apple.networkd.plist") + (subpath "/private/var/db/searchparty/sharedVault/BeaconPayloadCache/") + (regex #"^/Users/[^.]+/Library/Preferences/com.apple.security.plist") +) + +; literally no idea bro +(allow file-read-data file-write-unlink + (regex #"^/Users/[^.]+/Library/Application Support/CEF/User Data/WidevineCdm/") +) + +; Allow access to Rosetta runtime +(allow file-read* + (subpath "/Library/Apple/usr/libexec/oah/libRosettaRuntime") +) + +; Allow access to specific system frameworks and libraries +(allow file-read* + (subpath "/System/Library/Frameworks/OpenGL.framework") + (subpath "/System/Library/Frameworks/CoreAudio.framework") + (subpath "/System/Library/Frameworks/CoreMedia.framework") + (subpath "/System/Library/PrivateFrameworks/GameKitServices.framework") +) + +; Allow access to other random stuff it needs +(allow file-read* + (subpath "/Library/Preferences/com.apple.ViewBridge.plist") +) + +; Mojang preference domain access +(allow user-preference-write + (preference-domain "com.mojang.mclauncher") + (preference-domain "com.mojang.mclauncher.helper.renderer") + (preference-domain "com.mojang.minecraftlauncher") +) + +; More mojang preference domain access +(allow user-preference-read + (preference-domain "com.mojang.mclauncher.helper.renderer") + (preference-domain "com.mojang.minecraftlauncher") + (preference-domain "com.mojang.mclauncher") + (preference-domain "kCFPreferencesAnyApplication") +) + +; All below is the audio access + +(allow ipc-posix-shm-read* ipc-posix-shm-write-data + (ipc-posix-name-regex #"^AudioIO")) + +(allow mach-lookup + (global-name "com.apple.audio.coreaudiod") + (global-name "com.apple.audio.audiohald")) + +(allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient")) + +(allow file-read* (subpath "/Library/Audio/Plug-Ins")) + +(allow device-microphone)