This project contains code to compute sandbox coverage statistics for macOS applications. Please refer to this article for a conceptual overview of the tool's inner workings.
This project depends on
nlohmann/json. The dependencies can be installed using homebrew:
$ brew tap nlohmann/json $ brew install cmake nlohmann_json
$ git clone --recursive https://github.com/0xbf00/macos-sandbox-coverage.git $ cd macos-sandbox-coverage/ # Setup submodules: # - maap: See instructions at https://github.com/0xbf00/maap # - simbple: No need to build anything. We are only including some of the project's source code here. # Build matching-core $ mkdir matching-core/build $ cd matching-core/build $ cmake .. $ make
The program only supports two switches:
--appto specify the path to the application you want to collect sandbox coverage data for
--timeoutto specify the number of seconds for the app to run. If you do not specify a timeout, the app will run indefinitely or until it is closed by the user.
$ ./sandbox_coverage.py --app /Applications/Calculator.app > output.json $ ./report.py output.json output.htm
Output files should contain all the information you need to reproduce the results. The JSON output is quite large and makes use of the following keys:
arguments: contains program parameters (path to app and timeout)
Container.plistof the target app
logs: under this key you'll find both raw and processed sandbox logs, which are used as input to the matcher.
match_results: contains the original match results.
rule_mapping: contains the mapping of original rules to normalised and generalised rules.
process_infos: contains PID and
stdoutoutput of the target app
sandbox_profiles: dictionary containing four different sandbox profiles. The original, normalised and generic (generic) profile are encoded as JSON, the patched profile compiled and encoded as base64
An example report can be found in
data/example_report.htm (normalised profile of Calculator on macOS Catalina 10.15.3).