Lion - are Apple's apps sandboxed?

[Tech198]

I know apps bought from app store will be sandboxed, but are the OS apps sandboxed in Lion?

 

[tkermit]

Some are, but not all of them. There's a "Sandbox" column you can activate in Activity Monitor to check this.

 

[basher]

Did the option to run apps in their own memory space get pulled from Lion? I don't see it listed in System Preferences, Security.

 

[dukebound85]

what does sandboxed mean? as in all the files are in one place or what?

 

[munkery]

Most if not all of the default apps in Lion that have greater security implications are sandboxed.

Mandatorily exposed server-side services are sandboxed as before.

Client-side apps that are sandboxed include Safari (web process), Preview, Quick Look Helper, QuickTime (some components), and TextEdit. Other examples may exist as well.

These apps are sandboxed because associated file types are manipulated to deliver exploits: Safari (maliciously crafted website), Preview (maliciously crafted PDF), QuickTime (maliciously crafted video/audio), TextEdit (maliciously crafted document), and Quick Look Helper (all of the above).

Here is an article about the sandbox in OS X.

http://www.exploit-db.com/download_pdf/16031

 

[echo.park]

If TextEdit is, how about Pages 09 then?

 

[munkery]

If TextEdit is, how about Pages 09 then?

I would like to know this as well?

I would hope that Apple would do this for iWork as well even though it is not installed by default.

It should be noted that these types of attacks targeting OS X are uncommon in the wild. This is due to the difficulty in achieving system level access after gaining user level access. It is more efficient to use social engineering rather than exploitation.

But, it is good that Apple is being proactive in this regard.

 

[basher]

Based on what I'm seeing in Activity Monitor when I run Pages '09 it is not sandboxed.

 

[munkery]

Based on what I'm seeing in Activity Monitor when I run Pages '09 it is not sandboxed.

Do you have Activity Monitor set to show which apps are sandboxed?

In global menu for Activity Monitor: View -> Columns -> Sandbox.

 

[basher]

Yep.

 

[munkery]

Yep.

Possibly due to iWork not natively handling other common proprietary formats?

MS Office docs are converted when opened in iWork, right?

That does not mean that Apple's formats are not liable as well. But, they have not been targeted yet and other mechanisms beyond sandboxing also mitigate this liability.

Given that all Mac App Store apps have to be sandboxed by November, iWork will be sandboxed in the future.

 

[uaecasher]

I only have 4 processes that are sandboxed

 

[munkery]

I only have 4 processes that are sandboxed

Open Preview and TextEdit; then Quick Look Helper will also launch.

I am unsure how to show the components that are sandboxed in QuickTime. Only know from reports via security researchers that QT is somehow sandboxed as well.

Set Activity Monitor to show "All processes, hierarchical."

This will reveal the server-side processes that are sandboxed.

 

[tkermit]

what does sandboxed mean?

John Siracusa's latest OS X review contains a good explanation of Sandboxing in Lion.

 

[brand]

what does sandboxed mean? as in all the files are in one place or what?

Sandbox

 

[munkery]

VTDecoderXPCService is the process that sandboxes functions related to QuickTime.