From 09ea12a2a7963f22673dd7bfbdd2712e0d76bb26 Mon Sep 17 00:00:00 2001
From: Teddy Reed <teddy@prosauce.org>
Date: Fri, 19 Jun 2015 01:53:09 -0400
Subject: [PATCH] Add application sandbox container metadata

---
 osquery/tables/system/darwin/sandboxes.cpp | 83 ++++++++++++++++++++++
 specs/darwin/sandboxes.table               | 11 +++
 2 files changed, 94 insertions(+)
 create mode 100644 osquery/tables/system/darwin/sandboxes.cpp
 create mode 100644 specs/darwin/sandboxes.table

diff --git a/osquery/tables/system/darwin/sandboxes.cpp b/osquery/tables/system/darwin/sandboxes.cpp
new file mode 100644
index 00000000..cbf3cbb3
--- /dev/null
+++ b/osquery/tables/system/darwin/sandboxes.cpp
@@ -0,0 +1,83 @@
+/*
+ *  Copyright (c) 2014, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree. An additional grant
+ *  of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <boost/filesystem.hpp>
+
+#include <osquery/core.h>
+#include <osquery/tables.h>
+#include <osquery/filesystem.h>
+#include <osquery/logger.h>
+
+#include "osquery/core/conversions.h"
+
+namespace fs = boost::filesystem;
+namespace pt = boost::property_tree;
+
+namespace osquery {
+namespace tables {
+
+const std::vector<std::string> kSandboxContainerPaths = {
+    "/Library/Containers/",
+};
+
+void genSandboxContainer(const fs::path& container, QueryData& results) {
+  pt::ptree tree;
+  fs::path path = container / "Container.plist";
+  if (!pathExists(path.string()).ok() || !isReadable(path.string()).ok()) {
+    // Container directory does not contain container details.
+    return;
+  }
+
+  if (!osquery::parsePlist(path.string(), tree).ok()) {
+    // Could not parse the container plist.
+    return;
+  }
+
+  if (tree.count("SandboxProfileDataValidationInfo") == 0) {
+    return;
+  }
+
+  auto info = tree.get_child("SandboxProfileDataValidationInfo");
+  if (info.count("SandboxProfileDataValidationParametersKey") == 0) {
+    return;
+  }
+
+  Row r;
+  info = info.get_child("SandboxProfileDataValidationParametersKey");
+  r["label"] = info.get("application_container_id", "");
+  r["user"] = info.get("_USER", "");
+  r["enabled"] = INTEGER(tree.get(
+      "SandboxProfileDataValidationEntitlementsKey.com.apple.security.app-"
+      "sandbox",
+      0));
+  r["build_id"] = info.get("sandbox_build_id", "");
+  r["bundle_path"] = info.get("application_bundle", "");
+  r["path"] = container.string();
+  results.push_back(r);
+}
+
+QueryData genSandboxContainers(QueryContext& context) {
+  QueryData results;
+
+  // Get the login items available in System Preferences for each user.
+  for (const auto& dir : getHomeDirectories()) {
+    for (const auto& path : kSandboxContainerPaths) {
+      std::vector<std::string> containers;
+      osquery::listDirectoriesInDirectory(dir / path, containers);
+      for (const auto& container : containers) {
+        genSandboxContainer(container, results);
+      }
+    }
+  }
+
+  return results;
+}
+}
+}
diff --git a/specs/darwin/sandboxes.table b/specs/darwin/sandboxes.table
new file mode 100644
index 00000000..65975c2d
--- /dev/null
+++ b/specs/darwin/sandboxes.table
@@ -0,0 +1,11 @@
+table_name("sandboxes")
+description("OS X application sandboxes container details.")
+schema([
+    Column("label", TEXT, "UTI-format bundle or label ID"),
+    Column("user", TEXT, "Sandbox owner"),
+    Column("enabled", INTEGER, "Application sandboxings enabled on container"),
+    Column("build_id", TEXT, "Sandbox-specific identifier"),
+    Column("bundle_path", TEXT, "Application bundle used by the sandbox"),
+    Column("path", TEXT, "Path to sandbox container directory"),
+])
+implementation("sandboxes@genSandboxContainers")