catch icon indicating copy to clipboard operation
catch copied to clipboard
verified publisher icon mipstian

Sandboxing

Open mipstian opened this issue 11 years ago • 7 comments

Currently, the feed checker service is sandboxed, but the main app isn't.

Whenever Sparkle supports sandboxing, we can adopt it in the app as well. Right now the app needs network access so Sparkle can check for updates, but they're slowly turning it into an xpc service with its own entitlements.

The app would only need an entitlement for access to the Downloads directory, which is the default save path for torrent files. Access to other directories would be granted via Powerbox. All networking is already done by the service.

Existing users that already have a custom folder in their preferences would need to re-select it. Luckily this should be self-correcting, because with sandboxing this folder would be inaccessible, and will thus cause the preferences window to pop up on launch with an error icon next to it. I think users would be able to figure out what to do at this point, especially if we add a warning to the release notes, so the transition shouldn't be too bumpy.

mipstian avatar Sep 13 '14 01:09 mipstian

Why do you want the app to be sandboxed? The only advantage I can think of is submitting it to the MAS, but Apple doesn't accept any apps related to torrents.

yashendra2797 avatar Mar 03 '16 12:03 yashendra2797

What about security? :)

mipstian avatar Mar 03 '16 12:03 mipstian

How much would Sandboxing affect security for an app like Catch? Personally I don't think its worth the effort.

yashendra2797 avatar Mar 05 '16 13:03 yashendra2797

Well that's the cool part, the effort is almost zero. As soon as a version of Sparkle compatible with sandboxing comes out, we just need to update to it and flip the sandboxing switch. No code changes needed in Catch.

We're already mostly covered because the feed checker service inside Catch is sandboxed - it only has outgoing network access + temporary access to the download folder that is passed from the main app. The feed checker service is the most vulnerable part of the app as it's exposed to data coming from the network and contains a parser. So if it is compromised, it can't change any files outside the download folder or start a server (among other things).

But the service does have a backchannel to the main app. So it'd be nice if the main app had no privileges at all. All it needs is access to the download folder, which is granted via powerbox. So even if someone could manage to forge a malicious feed which would cause the main app to misbehave, it would be mostly harmless.

Long story short, we wait on Sparkle and then we get extra security for free :)

mipstian avatar Mar 05 '16 16:03 mipstian

Whelp. The Transmission ransomeware shit is now making me push for Sandboxing. Sorry for questioning you mate. Keep up the good work!

yashendra2797 avatar Mar 07 '16 19:03 yashendra2797

No need to apologize, it was a legitimate question :)

mipstian avatar Mar 07 '16 19:03 mipstian

For reference, the status of Sparkle 2 (the sandboxing release) is tracked at https://github.com/sparkle-project/Sparkle/issues/1523

mipstian avatar Jun 21 '21 08:06 mipstian