Lion Sandboxing

28 June 2011

From a security perspective, it has long felt ridiculous to me that any native application I run can access any data I can access, whether that be read-only or read/write, without my explicit consent. That's basically the decades old Unix model of security based on file permissions and application processes running as the current user. It looks like Lion is going to change that, at least for applications acquired through the Mac App Store. To me, this is by far the most significant part of the Lion feature set that has become public knowledge so far.


So Lion will introduce an application sandboxing feature, where applications basically run in a chroot environment. Applications can't just read and/or write arbitrary files somewhere on the users disk; instead they can (by default) only access files in their own little sandbox directory.

But apparently, the really cool trick about this is that the user can poke holes into the sandbox by using the standard open/save file dialog, drag and drop, or other explicit means of giving an application access to a specific piece of data. Which means that in most cases, users can continue to work with those applications as they have in the past, without having to even be aware of the sandbox that's providing them extra security. That would be huge.

Also, according to the official (and rather brief) description, the sandbox can limit the application's access to other resources, such as the network or the camera. Applications will presumably need to state upfront whether they need such access, and the user will be able to check those requirements before installation.

Of course, I have no idea how well this will work in practice, but it seems like a very elegant approach. It might very well be a huge step forward in terms of application security on mainstream desktop operating systems.