Dev:Seatbelt

Seatbelt, also known as sandbox, is a kernel extension that restricts a set of features from being used for some processes.

Applying sandbox to your app
It is a good idea to apply a sandbox to restrict what your app can do, esp. for setuid apps, in case a vulnerability is found (well maybe not needed for iPhoneOS...). The documented way of applying a sandbox is

Once a sandbox is applied, you cannot jump out from the sandbox anymore.

There are 5 documented profiles and 9 undocumented profiles:
 * 0. kSBXProfileNoNetwork (= "nonet")
 * 1. kSBXProfileNoInternet (= "nointernet")
 * 2. kSBXProfilePureComputation (= "pure-computation")
 * 3. kSBXProfileNoWriteExceptTemporary (= "write-tmp-only")
 * 4. kSBXProfileNoWrite (= "nowrite")
 * 5. "sandbox-compilerd"
 * 6. "mDNSResponder"
 * 7. "apsd"
 * 8. "AppleDiags"
 * 9. "PasteBoard"
 * 10. "container" (Having the same restriction as AppStore apps.)
 * 11. ""
 * 12. ""
 * 13. ""

MobileSafari
Same as MobileMail but /var/mobile/Media/Safari/ is also read/writable.

MobileMail

 * UNIX sockets cannot be used.
 * The following files and directories cannot be read:
 * /var/mobile/Applications/*
 * /var/mobile/Media/* (except DCIM/, com.apple.itdbprep.postprocess.lock and com.apple.itunes.lock_sync)
 * /var/mobile/Library/Caches/com.apple.mobile.installation.plist
 * /usr/sbin/fairplayd
 * The filesystem by default is read-only, but the following directories can be written:
 * /var/mobile/Library/*
 * /var/mobile/Media/DCIM/*
 * /tmp/*

MobileMaps
Based on MobileMail but
 * /var/logs cannot be read.
 * /var/mobile/Library/Caches/com.apple.UIKit.pboard/* cannot be read.
 * /var/mobile/Media/* cannot be written.
 * /var/mobile/Library/* cannot be written, except:
 * /var/mobile/Library/Caches/Maps/*
 * /var/mobile/Library/Keyboard/*
 * /var/mobile/Library/Maps/*
 * /var/mobile/Library/SMS/*

PasteBoard
Everywhere is read-only, except:
 * /var/mobile/Library/Caches/com.apple.UIKit.pboard/*
 * /tmp/*

AppleDiags
Based on MobileMail but
 * /var/mobile/Media/* can be read.
 * /var/mobile/Library/Caches/com.apple.mobile.installation.plist can be read.
 * /var/mobile/Library/* cannot be written, except:
 * /var/mobile/Library/AddressBook/*
 * /var/mobile/Library/Keyboard/*
 * /var/mobile/Library/Logs/CrashReporter/*
 * /var/mobile/Library/Preferences/*

apsd, mDNSResponder
The filesystem cannot be accessed at all.

sandbox-compilerd
Only /var/* can be accessed freely.

Creating your own sandbox definition
A sandbox definition should be a Scheme file with extension .sb. If a non-built-in profile is given, a .sb placed in one of: shall be compiled and sandboxed by this definition. (You can also provide a complete path.) However, due to the lack of sandboxd the .sb files cannot be compiled, so assume this feature isn't there yet.
 * /usr/share/sandbox/*.sb
 * /private/var/mobile/Applications/*.sb

Working around the sandbox
While sandbox is a nice security feature, it is sometimes too restrictive for a MobileSubstrate extension. Since the sandbox is implemented as a kernel feature it's impossible to workaround it. For example, an MS extension targeting AppStore app can only write in /var/mobile, but most of the /var/mobile itself is unreadable due to sandboxing. But there are a few places that the sandbox cannot apply, so AppStore apps may store data in these places. They are:
 * Anything in the container itself (of course).
 * ~/* except the Media and Library subfolders, which only the following directories are readable:
 * ~/Media/DCIM/*
 * ~/Media/Photos/*
 * ~/Library/AddressBook/*
 * ~/Library/Keyboard/*
 * ~/Library/Preferences/*

An AppStore app itself can also read/write to these folders, even without jailbreaking (in principle), but they must be accessed via a symlink. Doing so allows easy cross-app data sharing, but that may violate the AppStore rules.

Kernel debug messages regarding the sandbox
You can turn on kernel debug messages from the Seatbelt.kext with this command:

sysctl -w security.mac.seatbelt.debug=

where the integer is a bit-field, with purposes:
 * 1 = Memory management (reference counting) messages. Very verbose, do not turn it on.
 * 2 = Function hook messages.
 * 4, 8, 16, 32, 64, 128 = ???

Set to 0 to turn off everything.