11

I'm curious to know how the new security model in OS X Lion will affect the future. Specifically, I'm questioning Entitlements and Sandboxing.

This isn't a question of whether or not these are good ideas. Rather, this is a question of best guess of what will happen in the future.

I'm curious about things like Python. My company makes a small Python App for emergency situations with out web-based software. This includes reading and writing to the file system.

Our app has no entitlements, namely because it's just Python code and we don't do any Cocoa wrapping. When the Mac App Store requirements that all apps have to be sandboxed and list their entitlements go into effect, I wonder if Apple will roll out an update to the operating system and say, "this is how we do security from now on and if your application doesn't meet our security model, it won't run because it's not secure."

I have mixed emotions about this. On the one hand, I think it's great for making consumer's machines more secure. Less rogue code and all that rot. On the other hand, it's going to make development a living hell for a lot of developers, methinks.

I also wonder if such an update should come out for Lion if the same update will be released for either Leopard or Snow Leopard. My thought would be not Leopard as it is two generations behind the current OS. Snow Leopard all depends on how long Apple wants to support an older OS.

So now I open it up to Apple developers to speak their minds on this topic and perhaps generate thoughts where previously there were none.

CharlesB
  • 86,532
  • 28
  • 194
  • 218
Professor Tom
  • 352
  • 3
  • 16
  • 4
    I'd say nobody knows until Apple actually does something. At the moment all this security stuff is entirely optional and you can continue to develop software in the same fashion you always have. I don't think this will suddenly change. They may tweak and enforce more of the security model by default over time, but you will still be able to "just write software". It's only mandatory if you want to go through the App Store, which IMO is a great way to force people on board that want to distribute software; but that doesn't seem to need to concern you at all. – deceze Sep 14 '11 at 16:57

1 Answers1

6

If you could embed Python along with your script and package it into a .app using something like py2app, I would imagine you could add/edit the Info.plist to satisfy Apple's requirements for signing. Similarly for entitlements, I would imagine you could edit the .app's entitlements.plist. I think the sandbox enforcer sandboxd is not language specific, it just allows/blocks the process's access to devices and files (for example, by not granting restricted file descriptors). Keep in mind, it's possible that an embedded Python interpreter would by default need access to some entitlements for initialization (because it may not be created with sandboxing in mind).

For iOS devices (which must be sandboxed to be sold on the store), Apple's policy (iOS developer program agreement section 3.3.2) is:

An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded.

It seems that the above solution, if possible, would satisfy this requirement (assuming a similar stipulation would be made for OS X apps). However, if you are not interested in distributing your app on the App Store, I don't think you have anything to worry about. I very much doubt they will require code signing or entitlements for running applications on your computer anytime soon (instead just sandboxing those sold on the App Store, making it the 'safe' place to get apps).

shookster
  • 1,671
  • 1
  • 12
  • 10
  • Gatekeeper is the first step in that direction. It will be introduced in Mountain Lion (10.8) and will notify a user when they're running an app that is not signed, under the default configuration. It has no bearing on sandboxing, though. – Dov May 30 '12 at 15:51
  • @Dov Though I believe you can sign apps that aren't distributed through the Mac App Store. – shookster Jun 04 '12 at 19:06
  • Of course you can, that's the whole point of Gatekeeper. On its most restrictive setting, you can only install MAS apps. On the middle (default) setting, it warns you when you run any non-MAS app that _has not_ been signed by the developer with an Apple-issues certificate. On the least restrictive setting, there are no warnings, like in Lion. – Dov Jun 04 '12 at 19:10
  • sandboxd is no "enforcer", it just handles the user-level the logging of what the sandbox stuff in the kernel does. – tml Aug 23 '13 at 17:11