Hello,
I have an application which is running sandboxed and it also launches a child processes via posix_spawn. I already learned that child processes are running in the same sandbox as the launching application.
What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship?
My use case is that helper applications doesn't need access to bunch of stuff the parent needs and we want to limit blast radius in case of security problem. I know that's what XPCServices are for, but we have a multi-platform code which is relying on POSIX process model quite heavily.
Thank you
Hello,
I have a Cocoa application from which I fork a new process (helper sort of) and it crashes on fork due to some cleanup code probably registered with pthreads_atfork() in Network framework.
This is crash from the child process:
Application Specific Information:
*** multi-threaded process forked ***
BUG IN CLIENT OF LIBPLATFORM: os_unfair_lock is corrupt
Abort Cause 258
crashed on child side of fork pre-exec
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x194551238 _os_unfair_lock_corruption_abort + 88
1 libsystem_platform.dylib 0x19454c788 _os_unfair_lock_lock_slow + 332
2 Network 0x19b1b4af0 nw_path_shared_necp_fd + 124
3 Network 0x19b1b4698 -[NWConcrete_nw_path_evaluator dealloc] + 72
4 Network 0x19af9d970 __nw_dictionary_dispose_block_invoke + 32
5 libxpc.dylib 0x194260210 _xpc_dictionary_apply_apply + 68
6 libxpc.dylib 0x19425c9a0 _xpc_dictionary_apply_node_f + 156
7 libxpc.dylib 0x1942600e8 xpc_dictionary_apply + 136
8 Network 0x19acd5210 -[OS_nw_dictionary dealloc] + 112
9 Network 0x19b1beb08 nw_path_release_globals + 120
10 Network 0x19b3d4fa0 nw_settings_child_has_forked() + 312
11 libsystem_pthread.dylib 0x100c8f7c8 _pthread_atfork_child_handlers + 76
12 libsystem_c.dylib 0x1943d9944 fork + 112
(...)
I'm trying to create a child process with boost::process::child which does basically just a fork() followed by execv() and I do it before the - [NSApplication run] is called.
Is it know bug or behavior which I've run into? Also what is a correct way to spawn child processes in Cocoa applications? As far as my understanding goes the basically all the available APIs (e.g. posix, NSTask) should be more or less the same thing calling the same syscalls. So forking the process early before main run loop starts and not starting another NSApplication in forked child should be ok ...or not?
Hello,
I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement.
Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application.
The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log:
macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger
To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2].
So I have few questions:
Do I need to launch the helper (child) process a particular way to be able to attach debugger to it?
Is there a tool to inspect sandboxes (rules applied and the inheritance)?
Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway?
Thank you.
[1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask.
[2] I know that's what XPCServices are for but don't ask :-)
Post not yet marked as solved
Hello,
we have a bunch of macs which we use for running automated UI test and we need to allow services kTCCServiceScreenCapture and kTCCServiceAccessibility to our application bundles (it's a kind of a screen sharing application).
We tried to do a direct change in:
User's ~/Library/Application Support/com.apple.TCC/TCC.db but it doesn't take effect as it looks like these permissions need to be granted in system TCC database
The system database at /Library/Application Support/com.apple.TCC/TCC.db is write-only due to rootless.
Is there any other way than completely disable SIP to grant these TCC permissions to our bundles?
Also we would be just fine to grant permissions manually when we're setting up the machine, but it seems these get reset from time to time. And that's my other question:
How the TCC validation works?
We're testing ad-hoc signed bundles as well as DeveloperID signed ones with the same Application ID and it seems that TCC gets confused over time and simply treats the permissions as not granted.
Would modifying csreq in TCC.db record to contain only requirement identifier=my.bundle.app.id prevent this behavior or there is some other heuristics TCC uses for permission validation?
Thank you,
o/
Post not yet marked as solved
I'm specifically talking about NSKeyValueBindingCreation. What I have to do to expose my custom properties in the Interface editor's binding inspector?
I have a simple XIB with a custom view which is subclass of NSView with optionDescriptionsForBinding: and all other methods overrides described in NSKeyValueBindingCreation. Still it doesn't work for some reason.
Is there any working example of custom NSView with exposed bindings?
Post not yet marked as solved
Hello folks,
Documentation for UNNotificationContentExtension says that it's supported on macOS 11.0+.
Does that mean that notification content extension is supported for good ol' cocoa apps (i.e. not Mac Catalyst) on Big Sur and up?
I'm asking because I created the extension, bundled it with my cocoa app and it doesn't seem to work at all and I'm not sure if I should keep digging or it's simply not supported.
Also is there any recommended way how to troubleshoot issues with app extensions? I.e. looking for a logs of some service or some command line tool, anything?
Thank you! o/
Post not yet marked as solved
Hello,
this question was asked in various forms a lot on this forum but I'm probably still missing the point, so I would like to ask if anyone can help me to clarify that :)
I have two apps which need to communicate, both are sandboxed, hardened and in the same app group. In my particular setup it's Main.app and Helper.app, where Helper.app is embedded inside the Main.app (but I don't think that's that particularly important, just saying that in case it could be helpful).
I was able to use CFMessagePort to make the communication possible by using port name prefixed with the app group id (like described here) - https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html#//apple_ref/doc/uid/TP40011183-CH3-SW24 that does exactly what I need expect it's not secure, namely I can't verify sender and all communication is basically public (any client knowing the name of the port can send messages there). I understand that CFMessagePort is kinda ancient leftover waiting to be deprecated and from reading its open sourced code from 2015 I understand that this requirements can't be met because (in)security is built in the code :(
I turned my hopes towards XPC and was able to start the NSXPCListener with mach service in the Main.app and connect to the mach service with NSXPCConnection from the Helper.app. Unfortunately that works only from Xcode and I guess it has something to do with the debugserver being parent of the both apps not the launchd. Also for what it's worth, I was not able to verify the sender with SecCodeCopyGuestWithAttributes anyway as I got kPOSIXErrorEPERM (I tried the workaround with entitlement to access /private/var/db/mds).
As I understood from other posts in this forum, this usage pattern is not supported and I have to have meditator in between the apps (the broker), which will allow both apps to exchange NSXPCListenerEndpoint and establish direct communication. Unfortunately again, the XPC service launched as private to the app can't be used for this because the other app can't connect to it, so I have to create .plist for launchd and load the service manually. .
...That's where I got stuck because I don't know how I would get this into App Store. As far as I know the LaunchAgents and Daemons are prohibited and only allowed are LoginItems, which don't seem suited for this to me. Also compared to CFMessagePort this solution with broker is total overkill to problem in the hand, technically I just need to send few "events" between the apps in acceptable time.
So to sum up my "question": Is this XPC wrangling my only option? I was considering using raw mach messaging, which documentation is discouraging from on every step it seems or unix domain socket, which is kinda possessing the same security problems as CFMessagePort.
Sorry for long post and thank you for reading it :)
isnotgoodms.