search

opa334 / libSandy

Securely extend the sandbox of system processes and user applications
MIT License
81 stars 15 forks source link

Weird issue with read/write from unsanboxed/sandboxed process. #3

Closed gitusehub closed 1 year ago

gitusehub commented 1 year ago

I've tried this many times but somehow i always get the same result.

From SpringBoard (unsandboxed): I got nil value from the NSUserDefaults, but when I tried to write value onto the NSUserDefaults i got this message from cfprefsd[0] [0] = wrote file /private/preboot//jb-XXXXXX/procursus/var/mobile/Library/Preferencespref.test.plist Notice the /Preferences and pref.test.plist, isnt it suppose to be / in between them? I tried to make other profile, apply libsandy, and call nsuserdefaults and i got the same result. Tested on iOS 15.1.1 (A14).

From app (sandboxed): I can get value of the .plist in /Preferences/ but when I tried to write value onto it, i got this message from cfprefsd[1] [1] = rejecting write of key(s) data in { pref.test, mobile, kCFPreferencesAnyHost, /var/jb/var/mobile/Library/Preferences/pref.test.plist, managed: 0 } from process 19091 (Twitter) because setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access

Profile (pref.test.plist): `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

AllowedProcesses * Extensions type file extension_class com.apple.app-sandbox.read-write path /var/mobile/Library/Preferences/pref.test.plist `
opa334 commented 1 year ago

This is a cfprefsd / stock bug where it removes /private from the beginning of /private/preboot paths when running stringByResolvingSymlinksInPath.

Both Dopamine and palera1n rootless have cfprefsd hooks that redirect third party preference plists to /var/jb automatically. So when creating the NSUserDefaults object, just use the rootful path, it will automatically be redirected to /var/jb.

gitusehub commented 1 year ago

I already did use rootful path or the 'normal' path without /var/jb when creating the NSUserDefaults object, the test are done using that, it still does not work for me somehow.

Is sandboxed app suppose to only read data from the Preferences? I can't seems to make it able to write data into it, except from unsandboxed process.

Here are the logs when I tried to write some data into the .plist inside /Preferences/ (profile already have read-write access in extension_class, and libSandy_applyProfile() called before calling NSUserDefaults):

  1. Kernel = Sandbox: Twitter(22316) deny(1) user-preference-write pref.test
  2. cfprefsd = rejecting write of key(s) prefs in { pref.test, mobile, kCFPreferencesAnyHost, /var/jb/var/mobile/Library/Preferences/pref.test.plist, managed: 0 } from process 22316 (Twitter) because setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access
  3. Twitter = Couldn't write values for keys (prefs) in CFPrefsPlistSource<0x281ec5980> (Domain: pref.test, User: kCFPreferencesCurrentUser, ByHost: No, Container: kCFPreferencesNoContainer, Contents Need Refresh: No): setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access
opa334 commented 1 year ago

In your extension plist you need to omit the /var/jb too, just use the root path there aswell. Make sure the extension is read-write, then it should work.