singe

macOS Seatbelt/Sandbox Trace Script

macOS sandbox profiles used to be able to include a trace command that would write all the denied operations to a sandbox profile, allowing a profile to be iterativley built up. Apple removed that functionality for reasons explained below.

trace.sh examines the kernel log for the denied operations and creates the relevant allow rules in a sandbox profile, just like the sandbox profile trace command used to.

shrink.sh tries to reduce a sandbox profile to the minimum lines necessary.

It's very rough and ready at the moment (check the sed regex'es in the script to see what I mean) and needs more testing with a wider set of use cases.

dmattera

import os


def parse_man_file(man_filepath):
    with open(man_filepath, "r") as man_file:
        lines = man_file.read().split("\n")
        
        formatted_lines = []
        for line in lines:
            # remove Apple developer comments included on the same line and strip off trailing white space

dmattera

This list was auto-generated on macOS 10.15 (Catalina) using a script that did the following:

1. grabbed the name of all the .plist files located in the 5 folders used by launchctl:

• ~/Library/LaunchAgents Per-user agents provided by the user.
• /Library/LaunchAgents Per-user agents provided by the administrator.
• /Library/LaunchDaemons System wide daemons provided by the administrator.
• /System/Library/LaunchAgents OS X Per-user agents.
• /System/Library/LaunchDaemons OS X System wide daemons.

0xmachos

Keychain API

kSecAttrAccessible Mapping

Protection Domain (pdmn)	Keychain Accessibility Values
ck	kSecAttrAccessibleAfterFirstUnlock
cku	kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
dk	kSecAttrAccessibleAlways
akpu	kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly