Smalltalk Cincom VisualWorks

Sandboxing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Maarten Mostert-2
Reply | Threaded
Open this post in threaded view
|

Sandboxing

Maarten Mostert-2
Hi,

When sandboxing my application I encounter the following.

If I assemble the app with the image named as resource.im within resources upon starting the app I will hit “Sandbox: visual(681) deny forbidden-exec-sugid” within the console. This means that I execute a setuid/setgid binary with elevated rights, which is forbidden by Apple’s security politics.

While testing other possible combinations I managed to sandbox and startup the VM and even open an Image. However this only works if there is no image inside the xxx.app, if the  xxx.app is outside the Application folder and after granting temporary read and write entitlements to both the image directory and the directory above the image directory.

For as far as I understand the image named resource.im is attempted to be found after the vm already tempted to use elevated rights, which basically leaves me blocked here.

Regards,

@+Maarten,













_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Maarten Mostert-2
Reply | Threaded
Open this post in threaded view
|

Re: OSX - Sandboxing

Maarten Mostert-2
Hi,
The good news is that this particular problem appeared to be related to using the Unix command ps which is not allowed, also things like VW’s file utilities (copyTo: , moveTo:) provoque sandbox collisions but doing these using External processes seems to work the moment.

As I would like to keep track of my temporary files and associated PID’s I tried to use getpid which is supposed to be allowed in a sandbox:


Where most unix commands seem to work without problem the getpid command doesn’t ? Also I have been digging in the Ossystem support class to try to find the current PID of the process running my vm, but without success.

Things like this (which you can run in any workspace will fail ??:

ExternalProcess new execute:  'getpid' arguments: (Array with:' ') do: [:anIOStream |
results := anIOStream contents
“Transcript show: results"]


or 

ExternalProcess
execute: 'getpid'
arguments: (Array new)
do: 
[:anIOStream |
results := anIOStream contents
"Transcript show: results"]
errorStreamDo: 
[:error |
str := error contents asString.
str isEmpty
ifFalse: 
[Transcript
show: 'Error says: ' , str;
cr]].


Regards,

@+Maarten,
 

On 20 Jan 2015, at 21:40, Maarten Mostert <[hidden email]> wrote:

Hi,

When sandboxing my application I encounter the following.

If I assemble the app with the image named as resource.im within resources upon starting the app I will hit “Sandbox: visual(681) deny forbidden-exec-sugid” within the console. This means that I execute a setuid/setgid binary with elevated rights, which is forbidden by Apple’s security politics.

While testing other possible combinations I managed to sandbox and startup the VM and even open an Image. However this only works if there is no image inside the xxx.app, if the  xxx.app is outside the Application folder and after granting temporary read and write entitlements to both the image directory and the directory above the image directory.

For as far as I understand the image named resource.im is attempted to be found after the vm already tempted to use elevated rights, which basically leaves me blocked here.

Regards,

@+Maarten,














_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Maarten Mostert-2
Reply | Threaded
Open this post in threaded view
|

Re: OSX - Sandboxing

Maarten Mostert-2
Well I actually just found it.

In order to obtain getpid there is some like “OSHandle currentProcessID  who does just that with a vm primitive :)

@+Maarten,


On 27 Jan 2015, at 09:31, Maarten Mostert <[hidden email]> wrote:

Hi,
The good news is that this particular problem appeared to be related to using the Unix command ps which is not allowed, also things like VW’s file utilities (copyTo: , moveTo:) provoque sandbox collisions but doing these using External processes seems to work the moment.

As I would like to keep track of my temporary files and associated PID’s I tried to use getpid which is supposed to be allowed in a sandbox:


Where most unix commands seem to work without problem the getpid command doesn’t ? Also I have been digging in the Ossystem support class to try to find the current PID of the process running my vm, but without success.

Things like this (which you can run in any workspace will fail ??:

ExternalProcess new execute:  'getpid' arguments: (Array with:' ') do: [:anIOStream |
results := anIOStream contents
“Transcript show: results"]


or 

ExternalProcess
execute: 'getpid'
arguments: (Array new)
do: 
[:anIOStream |
results := anIOStream contents
"Transcript show: results"]
errorStreamDo: 
[:error |
str := error contents asString.
str isEmpty
ifFalse: 
[Transcript
show: 'Error says: ' , str;
cr]].


Regards,

@+Maarten,
 

On 20 Jan 2015, at 21:40, Maarten Mostert <[hidden email]> wrote:

Hi,

When sandboxing my application I encounter the following.

If I assemble the app with the image named as resource.im within resources upon starting the app I will hit “Sandbox: visual(681) deny forbidden-exec-sugid” within the console. This means that I execute a setuid/setgid binary with elevated rights, which is forbidden by Apple’s security politics.

While testing other possible combinations I managed to sandbox and startup the VM and even open an Image. However this only works if there is no image inside the xxx.app, if the  xxx.app is outside the Application folder and after granting temporary read and write entitlements to both the image directory and the directory above the image directory.

For as far as I understand the image named resource.im is attempted to be found after the vm already tempted to use elevated rights, which basically leaves me blocked here.

Regards,

@+Maarten,













_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc


_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Free forum by Nabble Edit this page