If you like this, you can use flattr. ;)
- Quickpost: Inspiring Windows software profilers and checkers
- 0x41 - back to bugs
- low footprint/hardware assisted virtualization with Linux and GrSec
- Postfix troubleshooting - a security nightmare
- New content soon
- 0x41 - (weekly) exploitation matters - Vista Heap, scripting debuggers with debug libs and how to learn to use that knowledge
- 0x41 - weekly exploitation matters - Shellcode and frameworks
- Explicit and implicit security in software development - measures and change
- 0x41 - weekly exploitation matters - Heap overflow fundamentals
- 0x41 - weekly exploitation matters - About
- wishinet: http://www.godblock.com/#what "block sexual, and psychologically harmful material" like "holy texts". Protect "from being indoctrinated"
- wishinet: Load average: 23.69 20.11 14.95 - jepp, this is obviously bad.
- wishinet: http://img2.moonbuggy.org/imgstore/ethernet-killer.jpg
- wishinet: According to my 400d stats the most viewed page at my blog is phpids's xss warning. You can do better! :)
- wishinet: I'm super-hungry after some meditation... guess this isn't normal. :-) 0xf000000d
UnprotectedHex - about formal software verification
Sean's blog
Xecurity - a security feed collecter
Reddit RCE group
Freedom To Tinker
Emergent Chaos
Woodmann RCE forums
OpenRCE community forums
SecViz - security data visualization
DAVIX Live - for security metrics
Hex Live
Security Metrics
Immunity's Free Software
Core Security's OpenSouce research
Zynamics Blog
Safari Sandbox 0.2
Sat, 08/22/2009 - 22:16 | wishi
txtA slight update
Here's a slight update on my sandbox-exec script for Safari 4.x. I prefer Safari for browsing for numerous reasons, however as a security minded individual I couldn't stand the access-permissions Safari by default has.
- #009900;">(version #0000dd;">1#009900;">)
- #009900;">(debug deny#009900;">) #339933;">; Use #009900;">(debug all#009900;">) to see every action#009900;">)
- #009900;">(allow network#339933;">-outbound#009900;">)
- #009900;">(allow signal#009900;">)
- #009900;">(allow ipc#339933;">-posix#339933;">-shm#009900;">) #339933;">; Needed #b1b100;">for POSIX shared memory
- #339933;">;; #b1b100;">if that is your Safari path
- #339933;">;#009900;">(allow process#339933;">-exec #009900;">(regex #339933;">#"^/Applications/Safari.app/*"))
- #009900;">(allow sysctl#339933;">-read#009900;">)
- #009900;">(allow file#339933;">-read#339933;">-metadata#009900;">)
- #009900;">(allow signal#009900;">)
- #009900;">(allow process#339933;">*#009900;">)
- #339933;">;#009900;">(allow mach#339933;">*#009900;">)
- #009900;">(allow mach#339933;">-lookup#009900;">)
- #339933;">;#009900;">(allow process#339933;">-exec #009900;">(regex #ff0000;">"^/System/Library/CoreServices/*"#009900;">)#009900;">)
- #339933;">;;
- #339933;">;; This is the most important part
- #339933;">;; Allow to read these files#339933;">:
- #339933;">;;
- #009900;">(allow file#339933;">-read#339933;">*
- #009900;">(regex
- #339933;">#"^/Users/YOUR_HOME/$"
- #339933;">#"^/Users/YOUR_HOME/downloads"
- #339933;">#"^/place_your_downloads-folder_here"
- #339933;">#"^/Users/YOUR_HOMES/Library"
- #339933;">#"^/Users/YOUR_HOMES/Public"
- #339933;">#"^/Users/YOUR_HOMES/Sites"
- #339933;">#"^/Applications/Safari.app"
- #339933;">#"^/Library/*"
- #339933;">#"^/System/Library/*"
- #339933;">#"^/usr/lib/*"
- #339933;">#"^/usr/share/*"
- #339933;">#"^/private/*"
- #339933;">#"^/dev/*"
- #339933;">;; entirely optional #339933;">- but I use some Safari hacks
- #339933;">#"^/Library/Application Support/SIMBL/Plugins/*"
- #339933;">#"^/Library/Application Support/Glims/*"
- #339933;">#"^/Library/Application Support/Glims/PlugIns/Glims.bundle/Contents/MacOS/*"
- #339933;">#"^/Users/YOUR_HOME/Library/Internet Plug-Ins/*"
- #339933;">#"^/Library/Internet Plug-Ins/*"
- #339933;">#"^/Library/InputManagers/*"
- #339933;">#"^/Applications/1Password.app"
- #339933;">#"^/Applications/Evernote.app/Contents/*"
- #339933;">#"^/Users/YOUR_HOME/Library/Application Support/Evernote/*"
- #009900;">)
- #009900;">)
- #339933;">;; Allow to write these files#339933;">:
- #009900;">(allow file#339933;">-write#339933;">*
- #009900;">(regex
- #339933;">#"^/Users/YOUR_HOME/Downloads/*"
- #339933;">#"^/Users/YOUR_HOME/Library/.*"
- #339933;">#"^/private/var/*"
- #339933;">#"^/dev/dtracehelper"
- #339933;">;; well... #202020;">that is how it works at least
- #339933;">#"^/Library/Application Support/SIMBL/Plugins/*"
- #339933;">#"^/Library/Application Support/Glims/PlugIns/Glims.bundle/Contents/MacOS/*"
- #339933;">#"^/Users/YOUR_HOME/Library/Application Support/Evernote/*"
- #009900;">)
- #009900;">)
- #009900;">(deny #b1b100;">default#009900;">)
The Applescript code still is:
- #b1b100;">do shell script #ff0000;">"sandbox-exec -f /Users/YOUR_HOMES/policies/sandbox-safari.sb /Applications/Safari.app/Contents/MacOS/Safari"
I considered the comments, too. However it doesn't really work. So... here we are.
Exceptions for which plugins?
The reason for the optional read/write permissions are plugins: Glims (many nice functions), PithHelmet (Cookie and JS/Java script controls similar to NoScript), AdBlock Safari, Safari Cookies, ForgetMeNot (saves sessions) and some crappy ones I don't dare to mention. Sometimes I just changed in the Info.plist:
- #339933;"><key#339933;">>BundleIdentifier#339933;"></key#339933;">>
- #339933;"><string#339933;">>*</string#339933;">>
- #339933;"><key#339933;">>MaxBundleVersion#339933;"></key#339933;">>
- #339933;"><string#339933;">>*</string#339933;">>
- #339933;"><key#339933;">>MinBundleVersion#339933;"></key#339933;">>
- #339933;"><string#339933;">>*</string#339933;">>
Yes... kind of nasty. However practical. :) The really important data are save from any exploit, drive-by attack or magic affecting Safari. I didn't manage to build such a policy for Firefox. Other WebKit based browsers maybe compatible.
Have fun,
wishi
Tags: 
Post new comment