Weird issue with read/write from unsanboxed/sandboxed process.

Question

Weird issue with read/write from unsanboxed/sandboxed process.

Closed this issue 2 years ago · 3 comments

I've tried this many times but somehow i always get the same result.

From SpringBoard (unsandboxed):
I got nil value from the NSUserDefaults, but when I tried to write value onto the NSUserDefaults i got this message from cfprefsd[0]
[0] = wrote file /private/preboot/<random_chars>/jb-XXXXXX/procursus/var/mobile/Library/Preferencespref.test.plist
Notice the /Preferences and pref.test.plist, isnt it suppose to be / in between them? I tried to make other profile, apply libsandy, and call nsuserdefaults and i got the same result. Tested on iOS 15.1.1 (A14).

From app (sandboxed):
I can get value of the .plist in /Preferences/ but when I tried to write value onto it, i got this message from cfprefsd[1]
[1] = rejecting write of key(s) data in { pref.test, mobile, kCFPreferencesAnyHost, /var/jb/var/mobile/Library/Preferences/pref.test.plist, managed: 0 } from process 19091 (Twitter) because setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access

Profile (pref.test.plist):
`

AllowedProcesses * Extensions type file extension_class com.apple.app-sandbox.read-write path /var/mobile/Library/Preferences/pref.test.plist `

Answer 1 · 2023-05-09T20:56:17.000Z

This is a cfprefsd / stock bug where it removes /private from the beginning of /private/preboot paths when running stringByResolvingSymlinksInPath.

Both Dopamine and palera1n rootless have cfprefsd hooks that redirect third party preference plists to /var/jb automatically. So when creating the NSUserDefaults object, just use the rootful path, it will automatically be redirected to /var/jb.

Answer 2 · 2023-05-10T08:53:00.000Z

I already did use rootful path or the 'normal' path without /var/jb when creating the NSUserDefaults object, the test are done using that, it still does not work for me somehow.

Is sandboxed app suppose to only read data from the Preferences?
I can't seems to make it able to write data into it, except from unsandboxed process.

Here are the logs when I tried to write some data into the .plist inside /Preferences/ (profile already have read-write access in extension_class, and libSandy_applyProfile() called before calling NSUserDefaults):

Kernel = Sandbox: Twitter(22316) deny(1) user-preference-write pref.test
cfprefsd = rejecting write of key(s) prefs in { pref.test, mobile, kCFPreferencesAnyHost, /var/jb/var/mobile/Library/Preferences/pref.test.plist, managed: 0 } from process 22316 (Twitter) because setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access
Twitter = Couldn't write values for keys (prefs) in CFPrefsPlistSource<0x281ec5980> (Domain: pref.test, User: kCFPreferencesCurrentUser, ByHost: No, Container: kCFPreferencesNoContainer, Contents Need Refresh: No): setting preferences outside an application's container requires user-preference-write or file-write-data sandbox access

Answer 3 · 2023-05-11T01:11:08.000Z

In your extension plist you need to omit the /var/jb too, just use the root path there aswell. Make sure the extension is read-write, then it should work.