pcap_open_live cannot access /dev/bpf0 while in sandbox

I'm working on a packet-capture GUI application using the pcap library (which uses /dev/bpf0) in XCode 11. When in App Sandbox it fails with the following error:


pcap_open_live failed with error en0: (cannot open BPF device) /dev/bpf0: Operation not permitted


With app sandbox disabled it succeeds.


I set the all of following entitlements but pcap_open_live still failed while sanboxed:

sandbox->incoming connections(server)

sandbox->outgoing connections(client)

Custom network protocol

All 4 network extensions (app proxy, content filter, packet tunnel, dns proxy)



Questions:


1) Is it possible to use pcap/BPF from within the sandbox (with some other entitlement perhaps?)


2) Are the pcap libraries (which are documented in a manpage) considered "non-public API" for purposes of app review guidline 2.5.1 (apps may only use public API's)?


(contingency question if the answers to #1/#2 are bad): Is there another way to capture ethernet frames that is acceptable to the app store?


Note that app review guideline 2.4.5(i) requires that MacOS apps in the app store be appropriately sandboxed.


Thanks!


Darrell

Up vote post of droot Down vote post of droot
768 views
Posted by
droot
Reply
Add a Comment

Accepted Reply

It also makes me wonder if sandboxed apps run as a different "user".

They do not.

Keep in mind that there’s two things blocking you from accessing this dev node from an App Store app:

  • The permissions on the dev node itself

  • The sandbox

Monkeying with group owner will help with the former but not the latter.

You might be able to make progress on the latter using a temporary exception entitlement (see the App Sandbox Temporary Exception Entitlements) but my experience is that App Review is very reluctant to let apps use that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Let’s answer your easy question first:

2) Are the pcap libraries (which are documented in a manpage) considered "non-public API" …

No. The acid test here is whether the headers (and the associated stub library) are included in the public macOS SDK, which they are.

1) Is it possible to use pcap/BPF from within the sandbox (with some other entitlement perhaps?)

That’s tricky. Do you want to do live capture? Or just use the API to read and write capture files?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I am doing live packet and (for ethernet and wifi interfaces) frame header capture. It is the primary function of the app.

Posted by
droot
Up vote reply of droot Down vote reply of droot
Add a Comment

I don’t think that’s feasible in an App Store app. A live capture requires access to the BPF device (

/dev/bpf*
). Those devices are only readable by a 
root
, meaning that opening them requires escalated privileges. And escalating privileges is specifically proscribed by the App Store Review Guidelines (clause 2.4.5(v)).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the answer.


I figured out how I was accessing /dev/bpf0 when I wasn't in the sandbox.


It looks like the Wireshark installer creates an access_bpf group, makes /dev/bpf* group-owned by access_bpf, and then adds the user to the access_bpf group (as can be seen by preferences -> Users and groups by opening up the group tab at the bottom). It looks like these permissions work for my app when outside the sandbox, but not in the sandbox.


That also why tcpdump was working for me without sudo.


Makes perfect sense because packet-capturing apps can be used for evil. But makes it hard to provide certain kinds of functionality. I will have to think about options.


Edit: It also makes me wonder if sandboxed apps run as a different "user". If yes, then that user could be added to the access_bpf group, allowing access to /dev/bpf* from a sandbox without granting access to everyting else.


Darrell

Posted by
droot
Up vote reply of droot Down vote reply of droot
Add a Comment

It also makes me wonder if sandboxed apps run as a different "user".

They do not.

Keep in mind that there’s two things blocking you from accessing this dev node from an App Store app:

  • The permissions on the dev node itself

  • The sandbox

Monkeying with group owner will help with the former but not the latter.

You might be able to make progress on the latter using a temporary exception entitlement (see the App Sandbox Temporary Exception Entitlements) but my experience is that App Review is very reluctant to let apps use that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks! Not the answer I wanted, but better to get it now than later. Cheers!


Darrell

Posted by
droot
Up vote reply of droot Down vote reply of droot
Add a Comment