Enable sandboxing without using temporary-exception #5584

Merged
merged 2 commits into from May 18, 2016

Projects

None yet

6 participants

@zcbenz
Contributor
zcbenz commented May 18, 2016

According to App Sandbox in Depth, if we use application groups then it will be possible to use mach IPC without acquiring temporary-exception.

This should be able to make apps much easier to get approved.

Close #5350.

zcbenz added some commits May 18, 2016
@zcbenz zcbenz Currently set base bundle ID deddf98
@zcbenz zcbenz docs: Update MAS guide without using temporary-exception
9069482
@zcbenz zcbenz merged commit e05f795 into master May 18, 2016

8 of 9 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
electron-linux-arm Build #3254281 succeeded in 41s
Details
electron-linux-ia32 Build #3254282 succeeded in 34s
Details
electron-linux-x64 Build #3254283 succeeded in 110s
Details
electron-mas-x64 Build #1215 succeeded in 4 min 59 sec
Details
electron-osx-x64 Build #1217 succeeded in 5 min 54 sec
Details
electron-win-ia32 Build #225 succeeded in 6 min 6 sec
Details
electron-win-x64 Build #220 succeeded in 5 min 46 sec
Details
@zcbenz zcbenz deleted the sandbox-no-expl branch May 18, 2016
@h13i32maru

super cool!!!

@mmm117
mmm117 commented May 18, 2016

So do I need to update my version of Electron?

@slaskis
slaskis commented May 18, 2016

Thanks for this!

I just tried this out and got this error while uploading to Itunes Connect:

ERROR ITMS-90286: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on Mac OS X. Specifically, value '[com.example]' for key 'com.apple.security.application-groups' in 'com.example.pkg/Payload/Example.app/Contents/MacOS/Example' is not supported. This value should be a string or an array of strings, each starting with your TEAMID followed by a dot '.' ."

And according to the docs for the application groups entitlements it seems to be required.

Just changing the entitlement plist to <string>[TEAM_ID].com.example</string> does not work either because then it does not match the bundle id.

Do you think the bundle id should always be prefixed with team id in the app or should the mach bundle id set in this PR also include the team id somehow?

@slaskis
slaskis commented May 18, 2016

Actually I just tested to change the app bundle id to include the team id and it will not be accepted either. I got this error now:

No suitable application records were found. Verify your bundle identifier '[TEAM ID].com.example' is correct.

@slaskis
slaskis commented May 18, 2016

I'm trying now to upload a version where we still use the temporary exception entitlement but with the bundle id:

    <key>com.apple.security.temporary-exception.sbpl</key>
    <string>(allow mach-lookup (global-name-regex #"^com.example.rohitfork.[0-9]+$"))</string>
@zcbenz
Contributor
zcbenz commented May 18, 2016

@slaskis Thanks for trying with it, I will figure out a way to enable people to specify TEAM_ID.

@slaskis
slaskis commented May 18, 2016

Awesome, I couldn't find a reference to the team id in the info.plist so I'm trying to upload a version now that uses a hard coded TEAM_ID.

But I'll let you know how that goes! :)

@bryan-jowers

Just was approved by MAS with this update. thanks to all.

@mmm117
mmm117 commented May 31, 2016

@bryan-jowers, did you submit a copy of U.S. Encryption Registration (ERN) approval when submitting your app to MAS?

As mentioned on this page, it seems we need to do it for all Electron built apps:
https://github.com/electron/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md

Cryptographic Algorithms Used by Electron
Depending on the country and region you are located, Mac App Store may require documenting the cryptographic algorithms used in your app, and even ask you to submit a copy of U.S. Encryption Registration (ERN) approval.

@sethlu
Contributor
sethlu commented May 31, 2016

Adding an App to an App Group
The com.apple.security.application-groups (available in OS X v10.7.5 and v10.8.3 and later) allows multiple apps produced by a single development team to share access to a special group container. This container is intended for content that is not user-facing, such as shared caches or databases.
In addition, this attribute allows the apps within the group to share Mach and POSIX semaphores and to use certain other IPC mechanisms among the group’s members. For additional details and naming conventions, read “Mach IPC and POSIX Semaphores and Shared Memory” in App Sandbox Design Guide.
The value for this key must be of type array, and must contain one or more string values, each of which must consist of your development team ID, followed by a period, followed by an arbitrary name chosen by your development team. For example:

<array>
    <string>DG29478A379Q6483R9214.HolstFirstAppSuite</string>
    <string>DG29478A379Q6483R9214.HolstSecondAppSuite</string>
</array>

The group containers are automatically created or added into each app’s sandbox container as determined by the existence of these keys. The group containers are stored in ~/Library/Group Containers/, where is one of the strings from the array. Your app can obtain the path to the group containers by calling the containerURLForSecurityApplicationGroupIdentifier: method of NSFileManager.

@slaskis Seems that com.apple.security.application-groups needs an array, rather than a single string?

Ref: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html

@slaskis
slaskis commented Jun 1, 2016

@sethlu yeah, needs an array. We only have a single string in the array and it worked great, even deployed an update recently.

@sethlu
Contributor
sethlu commented Jun 1, 2016

@slaskis nice; thanks for letting us know. 😄 A implementation of this is almost ready on https://github.com/electron-userland/electron-osx-sign. You may be interested in checking it out.

@slaskis
slaskis commented Jun 1, 2016

I saw the discussion, looks great and extracting the team id from the signature is pretty brilliant. We will definitely use that for future versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment