pcap_open_live cannot access /dev/bpf0 while in sandbox

I'm working on a packet-capture GUI application using the pcap library (which uses /dev/bpf0) in XCode 11. When in App Sandbox it fails with the following error:


pcap_open_live failed with error en0: (cannot open BPF device) /dev/bpf0: Operation not permitted


With app sandbox disabled it succeeds.


I set the all of following entitlements but pcap_open_live still failed while sanboxed:

sandbox->incoming connections(server)

sandbox->outgoing connections(client)

Custom network protocol

All 4 network extensions (app proxy, content filter, packet tunnel, dns proxy)



Questions:


1) Is it possible to use pcap/BPF from within the sandbox (with some other entitlement perhaps?)


2) Are the pcap libraries (which are documented in a manpage) considered "non-public API" for purposes of app review guidline 2.5.1 (apps may only use public API's)?


(contingency question if the answers to #1/#2 are bad): Is there another way to capture ethernet frames that is acceptable to the app store?


Note that app review guideline 2.4.5(i) requires that MacOS apps in the app store be appropriately sandboxed.


Thanks!


Darrell

Answered by DTS Engineer in 404589022

It also makes me wonder if sandboxed apps run as a different "user".

They do not.

Keep in mind that there’s two things blocking you from accessing this dev node from an App Store app:

  • The permissions on the dev node itself

  • The sandbox

Monkeying with group owner will help with the former but not the latter.

You might be able to make progress on the latter using a temporary exception entitlement (see the App Sandbox Temporary Exception Entitlements) but my experience is that App Review is very reluctant to let apps use that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Let’s answer your easy question first:

2) Are the pcap libraries (which are documented in a manpage) considered "non-public API" …

No. The acid test here is whether the headers (and the associated stub library) are included in the public macOS SDK, which they are.

1) Is it possible to use pcap/BPF from within the sandbox (with some other entitlement perhaps?)

That’s tricky. Do you want to do live capture? Or just use the API to read and write capture files?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I am doing live packet and (for ethernet and wifi interfaces) frame header capture. It is the primary function of the app.

I don’t think that’s feasible in an App Store app. A live capture requires access to the BPF device (

/dev/bpf*
). Those devices are only readable by a
root
, meaning that opening them requires escalated privileges. And escalating privileges is specifically proscribed by the App Store Review Guidelines (clause 2.4.5(v)).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the answer.


I figured out how I was accessing /dev/bpf0 when I wasn't in the sandbox.


It looks like the Wireshark installer creates an access_bpf group, makes /dev/bpf* group-owned by access_bpf, and then adds the user to the access_bpf group (as can be seen by preferences -> Users and groups by opening up the group tab at the bottom). It looks like these permissions work for my app when outside the sandbox, but not in the sandbox.


That also why tcpdump was working for me without sudo.


Makes perfect sense because packet-capturing apps can be used for evil. But makes it hard to provide certain kinds of functionality. I will have to think about options.


Edit: It also makes me wonder if sandboxed apps run as a different "user". If yes, then that user could be added to the access_bpf group, allowing access to /dev/bpf* from a sandbox without granting access to everyting else.


Darrell

Accepted Answer

It also makes me wonder if sandboxed apps run as a different "user".

They do not.

Keep in mind that there’s two things blocking you from accessing this dev node from an App Store app:

  • The permissions on the dev node itself

  • The sandbox

Monkeying with group owner will help with the former but not the latter.

You might be able to make progress on the latter using a temporary exception entitlement (see the App Sandbox Temporary Exception Entitlements) but my experience is that App Review is very reluctant to let apps use that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks! Not the answer I wanted, but better to get it now than later. Cheers!


Darrell

pcap_open_live cannot access /dev/bpf0 while in sandbox
 
 
Q