Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Base permissions block reading of ad-hoc pipes from process substitution #1

Open
algal opened this issue Apr 23, 2021 · 1 comment
Open

Base permissions block reading of ad-hoc pipes from process substitution #1

algal opened this issue Apr 23, 2021 · 1 comment

Comments

@algal
Copy link

algal commented Apr 23, 2021

Howdy!

I was configuring this to try it in my workflow, and I ran into a few problems following from my somewhat elaborate shell configuration. In particular, I use the executable starship to render my prompt, so I needed to expand the base permissions so starship had permissions to run and read its configuration files.

However it's still not working because, apparently, the base configuration does not allow reading from file descriptor pipes generated by zsh process substitution. This strikes me as a potentially more general problem.

You can see the issue by trying the following

$ sb
$ echo 'printf "Hello World"' > myscript
$ source myscript
Hello world
$ /bin/cat myscript
printf "Hello world"
$ source <("/bin/cat" myscript)
source: operation not permitted: /dev/fd/11

As you can see, sandboxtron lets me run cat, and it lets me source myscript, but it doesn't let me source an ad-hoc pipe file created from the output of calling cat on myscript.

Obviously the above example is silly since cat doesn't do anything. But starship's initialization has a line where it's less trivial

source <("/usr/local/bin/starship" init zsh --print-full-init)

I suppose I could workaround this by dumping that output to a static file, assuming the output doesn't change between invocations.

I noticed zsh also supports a =() syntax in addition to <(). This is supposed to create a temporary file on disk rather than using a pipe. When I tried this, it not only gave the same operation not permitted" error but also crashed zsh, dropping me back to the unsandboxed host shell.

So I guess the question is: is there a way to setup a permission declaration that encompasses pipes and other such transient file descriptors?
@lynaghk
Copy link
Owner

lynaghk commented Apr 28, 2021

I'm not sure how transient file descriptors are handled in Apple's sandbox framework. You could take a skim through https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf to see if anything jumps out.

Did you try running Console.app and recording the interaction?
If you search for "sandbox" you'll see log lines about what the sandboxing system has denied, and that provides a good place to start for specific permissions that need to be added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lynaghk @algal