init

Protonk · Protonk · commit 0601d2ffbc57 · 2025-12-13T22:18:09.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,6 @@
+# build artifacts
+EntitlementJail.app/
+EntitlementJail.zip
+
+# da mac
+.DS_Store
diff --git a/EntitlementJail.entitlements b/EntitlementJail.entitlements
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+ "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.security.app-sandbox</key>
+  <true/>
+</dict>
+</plist>
diff --git a/README.md b/README.md
@@ -0,0 +1,75 @@
+# Entitlement Jail
+
+Run an arbitrary command inside a macOS `.app` that is signed with specific entitlements (by default: App Sandbox). This is useful for quickly testing how a tool behaves when "jailed" by a sandbox/entitlement set.
+
+The app executable is a tiny Rust wrapper in `runner/` that `exec()`s the command you pass, so the child process inherits the app's sandbox/entitlements.
+
+## Requirements
+
+- macOS 14+ (see `LSMinimumSystemVersion` in the app `Info.plist`)
+- Rust toolchain (to build `runner/`)
+- Xcode Command Line Tools (for `codesign`)
+
+## Build
+
+1. Build the runner:
+
+   ```sh
+   cd runner
+   cargo build --release
+   cd ..
+   ```
+
+2. Create an app bundle and copy the binary in:
+
+   ```sh
+   APP=EntitlementJail.app
+   mkdir -p "$APP/Contents/MacOS"
+   cp runner/target/release/runner "$APP/Contents/MacOS/entitlement-jail"
+   ```
+
+3. Add an `Info.plist`:
+
+   ```sh
+   cat > "$APP/Contents/Info.plist" <<'PLIST'
+   <?xml version="1.0" encoding="UTF-8"?>
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <plist version="1.0">
+   <dict>
+     <key>CFBundleExecutable</key><string>entitlement-jail</string>
+     <key>CFBundleIdentifier</key><string>com.yourteam.entitlement-jail</string>
+     <key>CFBundleName</key><string>EntitlementJail</string>
+     <key>CFBundlePackageType</key><string>APPL</string>
+     <key>CFBundleShortVersionString</key><string>1.0</string>
+     <key>CFBundleVersion</key><string>1</string>
+     <key>LSMinimumSystemVersion</key><string>14.0</string>
+   </dict>
+   </plist>
+   PLIST
+   ```
+
+4. Sign the app with the entitlements in `EntitlementJail.entitlements` (ad-hoc signing is fine for local testing):
+
+   ```sh
+   codesign --force --deep --sign - --entitlements EntitlementJail.entitlements "$APP"
+   ```
+
+## Usage
+
+Run the app's executable and pass the command to "jail":
+
+```sh
+./EntitlementJail.app/Contents/MacOS/entitlement-jail /usr/bin/id
+./EntitlementJail.app/Contents/MacOS/entitlement-jail /bin/ls "$HOME/Desktop"
+```
+
+## Customizing entitlements
+
+Edit `EntitlementJail.entitlements`, then re-run the `codesign ...` step.
+
+For example, to allow outbound network access, add:
+
+```xml
+<key>com.apple.security.network.client</key>
+<true/>
+```
diff --git a/build-macos.sh b/build-macos.sh
@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage:
+#   ./build-macos.sh
+#   IDENTITY='Developer ID Application: ...' ./build-macos.sh
+#
+# Produces:
+#   EntitlementJail.app
+#   EntitlementJail.zip  (ready for notarytool submit)
+
+APP_NAME="EntitlementJail"
+APP_BUNDLE="${APP_NAME}.app"
+ZIP_NAME="${APP_NAME}.zip"
+
+# Paths in this repo
+RUNNER_MANIFEST="runner/Cargo.toml"
+ENTITLEMENTS_PLIST="EntitlementJail.entitlements"
+INFO_PLIST_TEMPLATE="Info.plist"
+
+# Optional: embed extra payloads if present
+EMBED_FENCERUNNER_PATH="${EMBED_FENCERUNNER_PATH:-}"   # e.g. /path/to/fencerunner
+EMBED_PROBES_DIR="${EMBED_PROBES_DIR:-}"               # e.g. /path/to/probes
+
+# Signing identity. Prefer env override; otherwise require user to set it.
+IDENTITY="${IDENTITY:-}"
+
+if [[ -z "${IDENTITY}" ]]; then
+  cat <<'EOF' 1>&2
+ERROR: IDENTITY is not set.
+
+Set it to your Developer ID Application identity string, for example:
+  IDENTITY='Developer ID Application: Adam Hyland (42D369QV8E)' ./build-macos.sh
+
+You can find valid identities via:
+  security find-identity -v -p codesigning
+EOF
+  exit 2
+fi
+
+echo "==> Building Rust runner"
+cargo build --manifest-path "${RUNNER_MANIFEST}" --release
+
+# Find the built binary. (Assumes standard Cargo layout.)
+RUNNER_BIN="runner/target/release/runner"
+if [[ ! -x "${RUNNER_BIN}" ]]; then
+  echo "ERROR: expected runner binary at ${RUNNER_BIN}" 1>&2
+  exit 2
+fi
+
+echo "==> Assembling app bundle: ${APP_BUNDLE}"
+rm -rf "${APP_BUNDLE}"
+mkdir -p "${APP_BUNDLE}/Contents/MacOS"
+mkdir -p "${APP_BUNDLE}/Contents/Resources"
+
+# Copy Info.plist
+if [[ ! -f "${INFO_PLIST_TEMPLATE}" ]]; then
+  echo "ERROR: missing ${INFO_PLIST_TEMPLATE} at repo root" 1>&2
+  exit 2
+fi
+cp "${INFO_PLIST_TEMPLATE}" "${APP_BUNDLE}/Contents/Info.plist"
+
+# Install main executable
+cp "${RUNNER_BIN}" "${APP_BUNDLE}/Contents/MacOS/entitlement-jail"
+chmod +x "${APP_BUNDLE}/Contents/MacOS/entitlement-jail"
+
+# Optional: embed fencerunner
+if [[ -n "${EMBED_FENCERUNNER_PATH}" ]]; then
+  if [[ ! -x "${EMBED_FENCERUNNER_PATH}" ]]; then
+    echo "ERROR: EMBED_FENCERUNNER_PATH is set but not executable: ${EMBED_FENCERUNNER_PATH}" 1>&2
+    exit 2
+  fi
+  echo "==> Embedding fencerunner: ${EMBED_FENCERUNNER_PATH}"
+  cp "${EMBED_FENCERUNNER_PATH}" "${APP_BUNDLE}/Contents/MacOS/fencerunner"
+  chmod +x "${APP_BUNDLE}/Contents/MacOS/fencerunner"
+fi
+
+# Optional: embed probes directory
+if [[ -n "${EMBED_PROBES_DIR}" ]]; then
+  if [[ ! -d "${EMBED_PROBES_DIR}" ]]; then
+    echo "ERROR: EMBED_PROBES_DIR is set but not a directory: ${EMBED_PROBES_DIR}" 1>&2
+    exit 2
+  fi
+  echo "==> Embedding probes dir: ${EMBED_PROBES_DIR}"
+  rsync -a --delete "${EMBED_PROBES_DIR}/" "${APP_BUNDLE}/Contents/Resources/probes/"
+fi
+
+# Sanity check entitlements
+if [[ ! -f "${ENTITLEMENTS_PLIST}" ]]; then
+  echo "ERROR: missing entitlements plist: ${ENTITLEMENTS_PLIST}" 1>&2
+  exit 2
+fi
+
+echo "==> Codesigning (Developer ID + hardened runtime + entitlements)"
+# Sign nested code first if you embed anything executable beyond the main binary.
+# --deep is convenient here; if you later add more embedded executables/frameworks,
+# consider an explicit signing pass over each nested code item.
+codesign \
+  --force \
+  --deep \
+  --options runtime \
+  --timestamp \
+  --entitlements "${ENTITLEMENTS_PLIST}" \
+  -s "${IDENTITY}" \
+  "${APP_BUNDLE}"
+
+echo "==> Verifying signature + entitlements"
+codesign --verify --deep --strict --verbose=2 "${APP_BUNDLE}"
+codesign --display --entitlements - "${APP_BUNDLE}" >/dev/null
+
+echo "==> Creating zip (for notarization): ${ZIP_NAME}"
+rm -f "${ZIP_NAME}"
+/usr/bin/ditto -c -k --keepParent "${APP_BUNDLE}" "${ZIP_NAME}"
+
+echo
+echo "DONE:"
+echo "  - ${APP_BUNDLE}"
+echo "  - ${ZIP_NAME}"
+echo
+echo "Next (notarize with your saved profile):"
+cat <<EOF
+  xcrun notarytool submit "${ZIP_NAME}" --keychain-profile "dev-profile" --wait
+  xcrun stapler staple "${APP_BUNDLE}"
+  spctl -a -vv "${APP_BUNDLE}"
+EOF
