I am in need of assistance with sandboxing the riot games client and game league of legends.
I originally played on a vm from linux but after the change to the incredibly intrusive rootkit malware vanguard. I cannot play from a vm or at least it would be difficult, if this route of containerizing it on mac proves to be more difficult (which wouldn't make sense) then I will go back to spoofing the a vm to not look like a vm. This is even more infuriating because I almost exclusively play Team Fight Tactics in which there is zero cheating and cheating would give a player zero advantage.
I decided I would try the Mac version of the game but apple does not sandbox applications at all like flatpak and flatseal from linux.
The game has access to my entire system and can read and write to my home directory. This is a massive security risk.
I originally tried checking the system settings privacy and security section but the application was not listed anywhere nor was it given access on any of the sections listed.
I checked both user local and global tcc.dbs and neither had records that gave the game or client any privileges.
This was concerning because tcc.db appears to be the only user facing way of managing permissions that you would think would be a bare minimum baseline and yet the game and client have full access to my system and those permissions are listed nowhere and are given no where. Ie. the default is just to let it do as it pleases even though its a game that only thing it needs to render to the screen. MacOS should properly fix this and implement proper sandboxing of applications like flatpak.
I then began building a configuration scheme for sandbox-exec seeing as it was the last opportunity to correctly contain the application to only have the permissions it needs.
I carefully crafted the config but it fails just as simply allowing all with allow default...
(version 1)
(allow default)
I run the application with the following command:
sandbox-exec -f ~/config.sb "/Users/Shared/Riot Games/Riot Client.app/Contents/MacOS/RiotClientServices"
Below are some of the errors produced from running the client sandboxed.
00:44:09.819 (SplashScreenManager) Displaying splash screen from default-splash.html for 2000ms
00:44:09.825 app.isPackaged true
00:44:09.842 Loading page from http://127.0.0.1:51563/index.html
sandbox initialization failed: Operation not permitted
Failed to initialize sandbox.[0102/004409.953876:ERROR:exception_snapshot_mac.cc(139)] exception_thread not found in task
[0102/004409.954838:ERROR:process_reader_mac.cc(309)] thread_get_state(4): (os/kern) invalid argument (4)
[0102/004409.954852:ERROR:process_reader_mac.cc(309)] thread_get_state(4): (os/kern) invalid argument (4)
[0102/004409.955178:WARNING:process_reader_mac.cc(532)] multiple MH_EXECUTE modules (/usr/libexec/rosetta/runtime, /Library/Apple/usr/libexec/oah/libRosettaRuntime)
[0102/004409.955364:WARNING:process_reader_mac.cc(532)] multiple MH_EXECUTE modules (/usr/libexec/rosetta/runtime, /Users/Shared/Riot Games/Riot Client.app/Contents/Frameworks/Riot Client.app/Contents/Frameworks/Riot Client Helper (Renderer).app/Contents/MacOS/Riot Client Helper (Renderer))
[0102/004410.111422:ERROR:exception_snapshot_mac.cc(139)] exception_thread not found in task
[4607:0102/004415.168524:ERROR:gpu_process_host.cc(991)] GPU process exited unexpectedly: exit_code=6
[4607:0102/004415.187770:ERROR:network_service_instance_impl.cc(521)] Network service crashed, restarting service.
00:44:15.215 Renderer process has unexpectedly crashed or was killed: crashed (6) { reason: 'crashed', exitCode: 6 }