Figure out if I can use the macOS sandbox

[simonw]

Something that makes me nervous about this app is that people can install plugins - and I can't guarantee they won't end up installing a malicious plugin that runs malware or steals data or similar.

On macOS it's now possible to lock down apps so they can only interact with their own private "sandbox" folder plus any files that the user explicitly opens using the native file open dialog. This sounds ideal! I can use the sandbox for the virtual environment and install plugins in there, but any malicious plugins (or bugs in my own code) would be limited in how much trouble they could cause.

Researching how to do this with Electron apps is made harder by the fact that Electron has its own sandbox concept which is something completely different - a browser security concept inherited from Chrome.

[simonw]

Got some tips from https://twitter.com/Matsubue/status/1432881158237212672:

I would have thought, on a mac, you would use the sandbox dir for its venv instead of sticking it in ~/ (using the sandbox dir for the app should also require fewer privilege requests)

Yeah, such a generic term. You can probably google search it better than me but the key phrase has to do with “entitlements.” Looks like there are some guidelines for how to do it with electron apps.

[simonw]

This bit of the Electron documentation talks about the kind of sandbox I am interested in here: https://www.electronjs.org/docs/tutorial/mac-app-store-submission-guide#enable-apples-app-sandbox

It says "Apps submitted to the Mac App Store must run under Apple's App Sandbox" - but presumably I can use the sandbox even for apps that I'm not distributing through the app store?

[simonw]

This thread on Stack Overflow looks relevant: https://stackoverflow.com/questions/58481610/proper-entitlements-to-automatically-open-directory-on-macos

[simonw]

Also useful: https://developapa.com/security-scoped-bookmark/

[simonw]

Apple documentation: https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html

These three concepts look particularly relevant:

• Entitlements. Communicate to macOS the specific system resources your app needs to get its job done, and no more.
• Containers. Access only the files and directories considered safe for your app.
• Persistent Resource Access. Retain security-scoped bookmarks across launches of your app to any additional files to which the user has specifically granted your app access.

[simonw]

Trying to figure out where the sandbox folder for my app is. https://stackoverflow.com/a/26237331/6083 suggests:

The sandbox path is mapped to:

~/Library/Containers/app-bundle-id/Data/

and is accessed from the sandboxed app using the NSSearchPathForDirectoriesInDomains() Foundation function

[simonw]

These docs are particularly useful: https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html

com.apple.security.inherit - "Child process inheritance of the parent’s sandbox"

[simonw]

I did some experiments and it looks like the packaged app can currently read any file that the user has access to... with the exception of files in the Desktop and Documents folders (and a few other similar ones).

The first time my test plugin attempted to access a file in Documents I got a system prompt asking if the Datasette app should be allowed to access files in that folder.