[tor-qa] Fwd: [tor-talk] OSX sandbox available for tbb3 (10.9 only)

Mon Nov 18 20:04:32 UTC 2013

On 2013-11-18 20:56, Erinn Clark wrote:
> * Andreas Jonsson <andreas at romab.com> [2013:11:18 20:33 +0100]: 
>> Very hard to troubleshoot why it isnt working properly unless it is in
>> debug mode :) (log file is /var/log/system.log), should anyone be
>> curious. If this is problematic/show stopper/undesirable, i will create
>> a new release with no debug.
> 
> Feature request: make the debug output write to its own log that is not a
> system.log. Something like writing to the top level directory of TBB as
> tbb-sandbox-debug.log would be better.
> 
> I can file it as a github issue if you like.
> 

Hi, Would comply if it was possible. It is not under my control however.
If it makes people easier of mind, this is what log file looks like:

Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data
/Users/andreas/Library/Preferences/org.mozilla.torbrowser.plist
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data
/Users/andreas/Library/Preferences/ByHost/.GlobalPreferences.B101F099-F648-519F-AB1B-DC931056B734.plist
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data /Users/andreas/Library/Preferences/.GlobalPreferences.plist
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data /Library/Preferences/.GlobalPreferences.plist
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data
/Users/andreas/Library/Preferences/com.apple.LaunchServices.plist
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data /Users/andreas/Library/Preferences/com.apple.ATS.plist
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /private/var/folders/f7/27l6xbks2yx_qml_r37vqzbr0000gn
Nov 18 20:58:20 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-data /Users/andreas/Library/Preferences/com.apple.HIToolbox.plist
Nov 18 20:58:24 stiletto kernel[0]: Sandbox: firefox(12880) deny
mach-lookup com.apple.ls.boxd
Nov 18 20:58:24 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /Users/andreas/Library/Internet Plug-Ins/WebEx64.plugin
Nov 18 20:58:24 --- last message repeated 4 times ---
Nov 18 20:58:24 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /Library/Internet Plug-Ins/Default Browser.plugin
Nov 18 20:58:24 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /Library/Internet Plug-Ins/flashplayer.xpt
Nov 18 20:58:24 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /Library/Internet Plug-Ins/JavaAppletPlugin.pluginNov
18 20:59:55 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /.vol
Nov 18 20:59:55 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /Users/andreas/Documents
Nov 18 20:59:55 --- last message repeated 3 times ---
Nov 18 20:59:55 stiletto kernel[0]: Sandbox: firefox(12880) deny
file-read-metadata /Users/andreas/Desktop/untitled folder/slask

This log files more or less explodes when opening files etc.

Perhaps the log file should be default to off, and enabled for those
willing to help debugging. It will not completely remove info from this
log however, should the sandbox trigger exceptions in underlying libraries.

Example:

Nov 18 20:58:20 stiletto.u88.romab.com appleeventsd[76]:
<rdar://problem/11489077> A sandboxed application with pid 12880,
"TorBrowser" checked in with appleeventsd, but its code signature could
not be validated ( either because it was corrupt, or could not be read
by appleeventsd ) and so it cannot receive AppleEvents targeted by name,
bundle id, or signature. Error=ERROR: #100013  {
"NSDescription"="SecCodeCopyGuestWithAttributes() returned 100013, -." }
 (handleMessage()/appleEventsD.cp #2072) client-reqs-q

/andreas