关于App Sandbox in Depth自己的翻译

看别人教学视频的时候发现有看这一段的文档,听别人说了大概意思还是很模糊,决定自己翻译一下,不好仅供参考

App Sandbox in Depth深层次的应用程序沙盒

The access control mechanisms used by App Sandbox to protect user data are small in number and easy to understand. But the specific steps for you to take, as you adopt App Sandbox, are unique to your app. To determine what those steps are, you must understand the key concepts for this technology.

//应用程序沙盒用来保护用户数据的进程控制机制在数量上是小的并且容易理解.但是特定的步骤需要你遵循,如你采用了应用程序沙盒,对你的App来说是独一无二的

/*这里的意思就是一个应用程序对应了自己独有的沙盒*/  为了理解这些步骤是啥,你必须理解这项技术的关键概念//

The Need for a Last Line of Defense  最后一道防线的必要

You secure your app against attack from malware by following the practices recommended in Secure Coding Guide. But despite your best efforts to build an invulnerable barrier—by avoiding buffer overflows and other memory corruptions, preventing exposure of user data, and eliminating other vulnerabilities—your app can be exploited by malicious code. An attacker needs only to find a single hole in your defenses, or in any of the frameworks and libraries that you link against, to gain control of your app’s interactions with the system.

//你使你的App安全通过下面在代码安全指南里提到的实例来阻止来自恶意软件的攻击.但是尽管你尽了最大的努力来建立一个无懈可击的屏障-通过避免缓存溢出和其他内存破坏,阻止用户数据的暴露,以及消除其他一些弱点-比如你的App可以被恶意代码利用.一名攻击者只需要在你的安全防护里或者你链接的任意的框架和库里发现单独的一个漏洞,用来得到你app和系统交互权的控制

//

App Sandbox is designed to confront this scenario head on by letting you describe your app’s intended interactions with the system. The system then grants your app only the access your app needs to get its job done. If malicious code gains control of a properly sandboxed app, it is left with access to only the files and resources in the app’s sandbox.

//App的沙盒是被设计用来面对这个情景,让你描述你的app的目标和系统的相互交互.系统然后授予你的应用程序只能访问它需要的来完成它的工作.如果恶意代码得到了一个正确沙盒应用程序的控制,只是在应用程序沙盒里留下访问文件和资源.//

To successfully adopt App Sandbox, use a different mindset than you might be accustomed to, as suggested in Table 2-1.

//为了成功的运用应用程序沙盒,采用不同的心态而不是你可能习惯了的,如表2-1中的建议

Table 2-1  The App Sandbox mindset//应用程序沙盒的心态

when developing...	when adopting App Sandbox
Add features	Minimize system resource use
take advantage of access through you app	Partition functionality,then distrust each part
Use the most convenient API	Use the most secure API
View restrictions as limitations	View restrictions as safeguards

在开发时	当采用应用程序沙盒时
添加特性	减少系统资源使用
利用你的应用程序的访问	分区功能,而不信任每个部分
使用最方便的API	使用最安全的API
限制作为限制	限制作为保障

When designing for App Sandbox, you are planning for the following worst-case scenario: Despite your best efforts, malicious code breaches an unintended security hole—either in your code or in a framework you’ve linked against. Capabilities you’ve added to your app become capabilities of the hostile code. Keep this in mind as you read the rest of this document.

//当为应用程序沙盒设计的时候,你计划以下最坏的情况:尽管尽了你最大的努力,恶意代码违反了一个意想不到的安全漏洞-在你的代码中或者在你链接的一个框架里.你添加到应用程序中的功能变成了恶意代码的功能.

Entitlements and System Resource Access//权利和系统资源的访问

An app that is not sandboxed has access to all user-accessible system resources—including the built-in camera and microphone, network sockets, printing, and most of the file system. If successfully attacked by malicious code, such an app can behave as a hostile agent with wide-ranging potential to inflict harm.

//一个没有被沙盒化的应用程序有访问所有用户,所有系统资源的权利-包括内置的相机和麦克风,网络套接字,打印机,和大多数的文件系统.如果被恶意代码成功的攻击,像这样的一个应用程序可以表现的像一个带有广泛潜在伤害的敌对间谍.

When you enable App Sandbox for your app, you remove all but a minimal set of privileges and then deliberately restore them, one-by-one, using entitlements. An entitlement is a key-value pair that identifies a specific capability, such as the capability to open an outbound network socket.

//当你为你的应用程序启用应用程序沙盒,你删除所有只留极小的特权,然后故意恢复他们,一个接着一个,用特权.一个权利是一个识别一个特殊功能的键值对,比如打开一个出站的网络套接字的功能.

One special entitlement—Enable App Sandboxing—turns on App Sandbox. When you enable sandboxing, Xcode creates a .entitlements

property list file and shows it in the project navigator.

//一个特定的使应用沙盒打开的权利.当你允许使用应用沙盒,Xcode创建一个权利属性列表文件并且在项目导航器中显示它.

If your app requires a capability, request it by adding the corresponding entitlement to your Xcode project using the Summary tab of the target editor. If you don’t require a capability, take care to not include the corresponding entitlement

//如果你的应用程序需要一个功能,请求它通过使用目标编辑器的摘要选项卡为你的Xcode项目添加与之相符的权利.如果你不需要一个功能,注意不要包括相应的权利.

You request entitlements on a target-by-target basis. If your app has a single target—the main application—you request entitlements only for that target. If you design your app to use a main application along with helpers (in the form of XPC services), you request entitlements individually, and as appropriate, for each target. You learn more about this in  External Tools, XPC Services, and Privilege Separation .

//你的请求权利在一个点对点基础上.如果你的应用程序只有一个主应用目标-你的请求权利只是为了这个目标.如果你想要你的应用程序使用一个带助手的主应用程序(XPC形式的服务),你单独请求权利,适当的,为每一个目标.想了解关于此更多请参阅外部工具,XPC服务,特权分离.

You may require finer-grained control over your app’s entitlements than is available in the Xcode target editor. For example, you might request a temporary exception entitlement because App Sandbox does not support a capability your app needs, such as the ability to send an Apple event to an app that does not yet provide any scripting access groups. To work with temporary exception entitlements, use the Xcode property list editor to edit a target’s .entitlements property list file directly.

//你可能需要更细粒度的控制你的应用程序的权力比可以在Xcode目标编辑器是可用的.比如,你可能 请求一个临时的异常权利因为应用程序沙盒不支持你的应用需要的一个功能,比如发送一个不提供任何脚本访问组的苹果事件给应用程序的功能.为了和临时异常权利一起工作,使用Xcode属性列表编辑器来直接编辑一个目标的权利属性列表文件.