Skip to content

Allow mach-lookup to SystemConfiguration.configd in Seatbelt profile#129

Open
olearydj wants to merge 1 commit intoanthropic-experimental:mainfrom
olearydj:fix/allow-configd-mach-lookup
Open

Allow mach-lookup to SystemConfiguration.configd in Seatbelt profile#129
olearydj wants to merge 1 commit intoanthropic-experimental:mainfrom
olearydj:fix/allow-configd-mach-lookup

Conversation

@olearydj
Copy link

@olearydj olearydj commented Feb 10, 2026
edited
Loading

Summary

Add com.apple.SystemConfiguration.configd to the macOS Seatbelt mach-lookup allowlist so that tools using SCDynamicStoreCreate() (e.g. uv, the Python package manager) don't panic inside the sandbox.

Problem

uv uses the system-configuration Rust crate, which calls SCDynamicStoreCreate() during Tokio runtime initialization to detect network proxy settings. The current Seatbelt profile blocks mach IPC to configd via the deny-default policy. The crate panics on the resulting NULL instead of handling it gracefully:

thread 'main2' panicked at system-configuration-0.6.1/src/dynamic_store.rs:154:1:
Attempted to create a NULL object.

thread 'main' panicked at uv/crates/uv/src/lib.rs:2540:10:
Tokio executor failed, was there a panic?

This affects any tool that uses the macOS SystemConfiguration framework inside the sandbox. uv is the most common case for Claude Code users running Python workflows.

Reproduction

Minimal Seatbelt profile with deny-default mach-lookup matching the current allowlist:

sandbox-exec -p '(version 1)(deny default)(allow process-exec)(allow process-fork)
  (allow process-info* (target same-sandbox))(allow signal (target same-sandbox))
  (allow file-read*)(allow file-write*)(allow network*)
  (allow user-preference-read)(allow ipc-posix-shm)(allow ipc-posix-sem)
  (allow sysctl-read)(allow sysctl-write)(allow iokit-open)(allow iokit-get-properties)
  (allow file-ioctl)(allow distributed-notification-post)
  (allow mach-lookup
    (global-name "com.apple.SecurityServer")
    ; ... other currently allowed services, but NO configd
  )' bash -c 'uv run python -c "print(1)"'
# Exit code: 101, panics as shown above

# Adding configd to the allowlist:
sandbox-exec -p '...(global-name "com.apple.SystemConfiguration.configd")...' \
  bash -c 'uv run python -c "print(1)"'
# Exit code: 0, works correctly

Security Considerations

Reviewers should be aware that SCDynamicStore is not purely read-only. The API supports read, write, and notification operations on the system configuration dynamic store.

What this grants access to

Read access to:

  • DNS server configuration (could reveal corporate/internal network details)
  • Proxy settings (could expose enterprise proxy infrastructure)
  • Network interface state, routing info
  • Computer hostname and sharing name
  • Currently logged-in username

Write surface:

  • The SCDynamicStore API supports set, add, and remove operations
  • Write operations typically require elevated privileges beyond the mach-lookup grant
  • However, the mach-lookup permission itself does not distinguish read from write

Mitigating factors

  • The sandbox already grants full outbound network access via the HTTP/SOCKS proxy layer, so DNS and proxy information is low incremental risk (a process could discover this through network probing)
  • Username and hostname are arguably new information not available through the existing network path, but are low-sensitivity
  • This is similar in scope to the other mach-lookup services already allowed (e.g. opendirectoryd.libinfo exposes user/group info, opendirectoryd.membership exposes group membership)
  • Related to Harden sandbox by removing unnecessary trustd.agent mach-lookup #108 which recently hardened the mach-lookup list by removing trustd.agent

Related CVE

CVE-2025-43413 (patched by Apple, June 2024) addressed network information leakage through sandbox gaps in system configuration APIs. Apple considered this attack surface significant enough to tighten sandbox profiles in response.

Context

Test plan

  • Profile assertion test: generated Seatbelt profile contains com.apple.SystemConfiguration.configd
  • Manual test: uv run succeeds inside sandbox with fix applied
  • Manual test: uv run panics inside sandbox without fix (confirmed with hardcoded profiles)
  • Existing seatbelt tests pass (16 pass, 1 pre-existing failure in kern.proc.all unrelated to this change)
  • Unit tests pass, typecheck clean, lint clean

🤖 Generated with Claude Code

@olearydj @claude
Allow mach-lookup to SystemConfiguration.configd in Seatbelt profile
30c2ba9 
Tools that use macOS SystemConfiguration APIs (e.g. uv, the Python
package manager) panic inside the sandbox because SCDynamicStoreCreate()
returns NULL when mach IPC to configd is blocked. This is read-only
access to system network configuration (DNS, proxies, interfaces) and
is consistent with the existing network access the sandbox already
grants via the proxy layer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olearydj