沙箱逃脱

As a security measure and to keep apps on the device from sharing data or interfering with each other,iOS includes a security system known as the sandbox.The sandbox blocks access to files,network sockets,bootstrap service names,and the ability to spawn subprocesses.Part of the jailbreaking process involves modifying the sandbox so that all processes can load Cydia Substrate,but much of the sandbox is left intact to respect the security and privacy of the user’s data.

With each new release,Apple further improves the sandbox to improve privacy and security.When building extensions or tweaks that need to share information across processes or persist data to disk,this can be restrictive.One approach is to survey the sandbox restrictions that exist on the processes where the extension is to be run,and choose file paths and names based on them.This is common,but can leave oneself stranded when Apple tightens the tourniquet and as of iOS 8 there is no location that all processes can read and write successfully.A better approach is to do all of the interesting work inside a privileged process such as SpringBoard,backboardd or even a manually created launch daemon of your own.Child processes can then send work to the privileged service.This ensures that as the sandbox tightens,your extension will still behave properly as long as it can communicate with the service.

Oddly enough,as of iOS 8 Apple has also decided to limit which services an app store process may query.This makes nearly all forms of inter-process communication ineffective on iOS,outside of the well-defined static services that Apple has designated.RocketBootstrap was created as a way around this that simultaneously allows additional services to be registered and respects the security and privacy of the user’s data.Services registered with RocketBootstrap are made globally accessible even in spite of very restrictive sandbox rules and it will serve as a single project that needs updating as the rules change.

(出于安全考虑,也为了让每个App运行在自己的独立空间里,iOS引入了名为“沙箱”(sandbox)的安全体系。沙箱会拦截文件访问、网络套接字、Bootstrap服务,以及对子进程的spawn。越狱操作对沙箱作出了适量修改,使所有进程都能够加载CydiaSubstrate,但为了用户的隐私安全,大多数沙箱限制仍保留原样。

在每一版iOS中,苹果公司都会增强沙箱的作用。当我们的tweak需要跨进程访问数据或向硬盘写数据时,沙箱会给我们的操作带来限制。绕过这些限制的方案之一是视tweak运行在哪些进程中而定,选择一个这些进程都能访问的路径或文件,达到共享数据的目的。这是一种常规的方法,但一旦苹果公司再次收紧沙箱的限制,这种方法就可能失效,比如iOS 8中已经不存在一个所有进程皆可读写的路径了。另一种更好的方案是把类似操作放在权限高的进程,如SpringBoard、backboardd,甚至是我们自己编写的守护进程里去完成,我们的tweak所在的进程只需要把受限制的操作丢给这些高权限的进程,然后坐等结果就可以了。这么做的好处是,即使沙箱的限制越来越严,只要tweak所在的进程能够与高权限进程通信,tweak就能够正常运行。

奇怪的是,在iOS 8里,苹果公司甚至限制了AppStore App所能访问的服务(即能够通信的进程),导致几乎所有AppStore App的进程间通信都失效了。RocketBootstrap应运而生,它既破除了上面提到的访问限制,又较好地保留了沙箱的防护。向RocketBootstrap注册的服务可以被全系统进程访问,包括那些沙箱限制非常严格的进程;RocketBootstrap是一个单独的程序,随着苹果限制规则的变化,我会不断调整RocketBootstrap的代码使其能够正常运行。)

Ryan Petrich