From 425d03e699ab6318edba2bf7eded7f3c86cc91b7 Mon Sep 17 00:00:00 2001 From: Eric Curtin Date: Fri, 27 Feb 2026 13:34:06 +0000 Subject: [PATCH] deny launchservicesd mach-lookup to avoid escape MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The llama-server sandbox profile allowed mach IPC communication with launchservicesd, which open(1) uses to ask launchd to spawn processes. This bypassed job-creation restrictions since launchd — not the sandboxed process — is the actual spawning parent. Deny mach-lookup for com.apple.launchservicesd and its CoreServices alias to close the escape path while leaving other mach operations intact. Signed-off-by: Eric Curtin --- pkg/sandbox/sandbox_darwin.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkg/sandbox/sandbox_darwin.go b/pkg/sandbox/sandbox_darwin.go index 6d20a36dd..e02628d6f 100644 --- a/pkg/sandbox/sandbox_darwin.go +++ b/pkg/sandbox/sandbox_darwin.go @@ -51,6 +51,15 @@ const ConfigurationLlamaCpp = `(version 1) ;;; Deny access to job creation. (deny job-creation) +;;; Deny access to launchservicesd to prevent sandbox escape via open(1). +;;; Without this, a sandboxed process can invoke open(1) which uses +;;; launchservicesd to ask launchd to spawn a new process, bypassing +;;; job-creation restrictions because launchd (not the sandbox) is the +;;; actual parent. See ZDI-CAN-29308. +(deny mach-lookup + (global-name "com.apple.launchservicesd") + (global-name "com.apple.coreservices.launchservicesd")) + ;;; Don't allow new executable code to be created in memory at runtime. (deny dynamic-code-generation)