App Sandbox

RSS for tag

App Sandbox is a macOS access control technology designed to contain damage to the system and user data if an app becomes compromised.

Posts under App Sandbox tag

118 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

macOS Sandbox and writing to system folders (audio plug-Ins)
Hello macOS gurus, I am writing an AUv3 plug-in and wanted to add support for additional formats such as CLAP and VST3. These plug-ins must reside in an appropriate folder /Library/Audio/Plug-Ins/ or ~/Library/Audio/Plug-Ins/. The typical way these are delivered is with old school installers. I have been experimenting with delivering theses formats in a sandboxed app. I was using the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement to place a symlink in the system folder that points to my CLAP and VST3 plug-ins in the bundle. Everything was working very nicely until I realize that on my Mac I had changed the permissions on these folders from to The problem is that when the folder has the original system permissions, my attempt to place the symlink fails, even with the temporary exception entitlement. Here's the code I'm using with systemPath = "/Library/Audio/Plug-Ins/VST3/" static func symlinkToBundle(fileName: String, fileExt: String, from systemPath: String) throws { guard let bundlePath = Bundle.main.resourcePath?.appending("/\(fileName).\(fileExt)") else { print("File not in bundle") } let fileManager = FileManager.default do { try fileManager.createSymbolicLink(atPath: systemPath, withDestinationPath: bundlePath) } catch { print(error.localizedDescription) } } So the question is ... Is there a way to reliably place this symlink in /Library/... from a sandboxed app using the temporary exception entitlements? I understand there will probably be issues with App Review but for now I am just trying to explore my options. Thanks.
6
0
785
Aug ’24
Honoring User's Changed Selection when Registering macOS MainApp with SMAppService
Hello, Currently my macOS application registers itself as a login item in the AppDelegate applicationDidFinishLaunching method (see code below) However, I'm running into a problem that if the user is auto upgraded (internal 3rd party implementation) that the .pkg postinstall script runs, the last step which is launching the GUI application. Because of this, if a user unselects our app as a LoginItem, when it is relaunched, it will add itself back. I have checked the SMAppService statuses (.enabled, .notRegistered, .notFound) and discovered that when a user disables the app as a login item, the status is returned as .notFound. I am trying to find a way to detect if the user previously removed our app from login items and not register the app as a login item back, but for the first time the user opens the app the app is registered as a login item. Would checking if the status is .notRegistered work in this case for a first time install? What should i do differently? func applicationDidFinishLaunching(_ aNotification: Notification) { ... guard !Runtime.isDebug else { self.logger.debug("Detected Xcode host; Skipping installation of helper components.") return } self.logger.info("Setting UI login item") if mainApp.status != .enabled { //old code, incorrect. What should go here? do { try mainApp.register() } catch { logger.error("Failed to initialize UI login item: \(error.localizedDescription)") } } }
3
0
436
Jul ’24
Configure autostart of a sandboxed Java app
I have developed a backup application in Java. In it, users can configure whether they want it to autostart or not. If they do, a plist file is being written to ~/Library/LaunchAgents so that my app starts at login. This works perfectly so far. I've not submitted it to the Mac App Store. But for that, it needed to be sandboxed. And with that, I had to add a "com.apple.security.temporary-exception.files.home-relative-path.read-write=/Library/LaunchAgents/" to my entitlements so that the plist file could still be written to ~/Library/LaunchAgents. However, they do not approve this. Is there another solution to launch my application at login? Must work with sandbox-mode Must work from Java/Shell/... (I found "SMAppService", but this seems only available in Swift/Objective-C)
1
0
466
Jul ’24
Mac App with Python Embedded: Sandbox Blocks Python Script from Running Only in Release Mode?
I have an XPC service that embeds Python. It executes a python script on behalf of the main app. The app and xpc service are sandboxed. All seems to work just fine in the development environment but the script fails in the released version. I disabled writing pycache by setting the PYTHONDONTWRITEBYTECODE environment variable because pycache tries to write inside my app bundle which fails (I believe I can redirect the pycache directory with PYTHONPYCACHEPREFIX and may experiment with that later). Specifically this line fails in the release version only (not from Xcode): PyObject *pModule = PyImport_Import(moduleNameHere); if (pModuleOwnedRef == NULL) { // this is null in release mode only. } Any ideas what can be going wrong? Thanks in advance.
3
0
682
Jul ’24
NEMachServiceName failure to access after network extension upgrade
We have a product which uses a Network Extension (a socket filter and a packet content filter). The application contains the network extension, as well as an un-sandboxed LaunchDaemon which connects to the service at the NEMachServiceName. Occasionally, usually after an upgrade where the system extension is swapped for the new version, our un-sandboxed process isn't able to contact the network extension. From the logging, we receive the following XPC error (libxpc.dylib) [com.apple.xpc:connection] [0x7fd6d0307f40] failed to do a bootstrap look-up: xpc_error=[3: No such process] in the unsandboxed process. Eventually, we receive an invalidated callback on the XPC connection with the error Couldn’t communicate with a helper application.. We have confirmed that an appropriate service is running via the launchctl command, and the network extension process appears to have initialised correctly. We don't see any indication of a received connection at the Network Extension process however (probably not surprising given the error). Once a system enters this state, repeated attempts to connect are unsuccessful and continue to produce the same error. We've also confirmed that there are no XPC codec exceptions apparent that might cause the connection to fail. I'm at a bit of a loss to explain why this failure might be occurring, other than a problem in the bootstrap/launchd being able to find the appropriate service. Is there possibly some problem with unsandboxed processes accessing the sandboxed network extension via XPC? They are both provisioned in an app group together. Is there possibly some issue where attempting to connect at a critical point during network extension installation causes it to become inaccessible? We've observed this specifically on macOS 14.5 (23F79), however this is something we've noticed on other versions of macOS and our code. The problem isn't systematic, and systems end up in this state only occasionally. We do seem to find some customers have more instances of this problems than others, but we haven't been successful at teasing out any common thread that might explain why.
3
0
569
Jul ’24
NSXPCConnection setCodeSigningRequirement: in sandbox works only with Developer ID signing
Hello, I use setCodeSigningRequirement: in sandboxed XPCService and it seems that no matter what I always get errSecCSNoSuchCode[1] when the app is signed with development certificate. The same application signed with DeveloperID is fine. I use following CSR for development signed builds. identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.12] exists But also tried to simplify to identifier com.example.app or just true. If I validated the CSR with codesign -R I get "explicit requirement satisfied". I spotted this log line: Sandbox: com.example.app(67058) deny(1) file-read-data /Users/(...)/example-app/build/arm64-mac/src/mac/app/Debug/Example App.app/Contents/MacOS/ExampleApp So I disabled the sandbox for XPCService and now everything works. But then why the DeveloperID signed build works with XPCService sandboxed? ...or does it really? :) Just for completeness the CSR which I use in production build are: identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = EXAMPLE
5
0
744
Jun ’24
Unix Domain Socket, Network Framework and App Sandboxing
Dear Apple Developers, I am working on a macOS project where the container app acts as a server and communicates with a command-line program developed by my colleagues via a Unix domain socket. The macOS part was written using the new Network Framework. Here is a snippet of the code: let params = NWParameters() let socketFile = URL(fileURLWithPath: socketPath) params.defaultProtocolStack.transportProtocol = NWProtocolTCP.Options() params.requiredLocalEndpoint = NWEndpoint.unix(path: socketFile.path) params.allowLocalEndpointReuse = true self.listener = try! NWListener(using: params) listener?.newConnectionHandler = ... listener?.start() When my colleague's program needs to send data, it connects to the socket created by the macOS app, and the data is received perfectly—unless the macOS app is sandboxed. I have added outgoing and incoming connections entitlements to the macOS app. I tested my colleague's program both embedded in the macOS app and separately, ensuring to add the com.apple.security.inherit entitlement as well. However, it still doesn't work when the macOS app is sandboxed. The socket file's permission is srwxr-xr-x@ and is located in the containers folder when sandboxed, and srwxr-xr-x and HOME/Library/Application Support/MyApp when not sandboxed. What could be going wrong? Does the Network Framework support this use case, or do I need to revert to using AF_UNIX? Thank you for your assistance. Best regards. ps. My colleagues' program was written in go, using a standard function conn, err := net.Dial("unix", "socket_path_in_container"). It outputs invalid argument error when the macOS App is sandboxed.
2
0
701
Jun ’24
Any way to make NSWorkspace's showSearchResultsForQueryString work?
It fails in a sandboxed app. I found a couple suggestions. One was to add a NSAppleEventsUsageDescription pair to the Info.plist so the user would be asked to grant permission for AppleEvents. But that never happens for showSearchResultsForQueryString. The next was to add the com.apple.security.temporary-exception.apple-events entitlement and provide com.apple.finder as the app. This DOES work, but Apple is rejecting my app because of it, even though I've said it's the only way to make showSearchResultsForQueryString work. I'm still waiting for them to tell me how to do it in a more correct way. This is obviously a bug, because an app should be able to use any NSWorkspace method without jumping through security hoops. Has anyone else found a way to make it work and get their app on the App Store?
7
0
608
Jul ’24
Sanboxed apps won't open 3rd party filesystem files
I'm having trouble opening files residing on a custom filesystem implemented as a kext via sandboxed apps. Preview.app is one such example. The app launches, but it won't display file contents. In system log files I'm seeing entries related to com.apple.foundation.filecoordination:claims with no error messages to indicate a possible reason why file contents aren't being displayed. Non-sandboxed apps, such as GoogleChrome.app do not exhibit such behaviour. The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive. What is required for a 3rd party filesystem kext to integrate with sandboxed apps? Any pointers and/or assistance would be greatly appreciated.
10
2
1.1k
Jul ’24
MacOS sandbox file permissions
I am creating a new macOS application that requires access to files outside of the sandbox. It needs to be docked in a silent state and packaged using the Electron Builder application. I have configured the relevant permissions as com.apple.security.memory-exception.files.absolute path.read-only, It can be accessed normally in the local version of mas dev. The configuration parameters are as follows: <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key> <array> <string>/Volumes/NO NAME/</string> <string>/Volumes/NO NAME 1/</string> <string>/Volumes/NO NAME 2/</string> </array> But during the review period of the app store, some people said it was not of legal value. The following is the original statement: Your application is not properly sandboxed, or it contains one or more rights with invalid values. Before resubmitting the new binary file, please review the included rights and sandbox documentation and resolve this issue. com.apple.security.temporary-exception.files.absolute-path.read-only True If there is a com.apple.security.memory-exception.files.absolute path.read-only authorization, will the app store accept it? What do I need to do to access it?
3
0
890
Jun ’24
MacOS sandbox file permissions
我们正在创建一个新的 macOS 应用程序,该应用程序需要访问沙盒之外的文件。它需要以静默状态停靠并使用 Electron Builder 应用程序进行打包。我已将相关权限配置为 com.apple.security.memory-exception.files.absolute path.read-only , 它可以在 mas dev 的本地版本中正常访问。配置参数如下: com.apple.security.temporary-exception.files.absolute-path.read-only /Volumes/NO NAME/ /Volumes/NO NAME 1/ <字符串>/卷/无名称 2/</字符串> </阵列> 但在应用商店审查期间,有人说它不是法律价值。以下为声明原文: 您的应用未正确实现沙盒,或者它包含一个或多个具有无效值的权利。在重新提交新的二进制文件之前,请查看包含的权利和沙盒文档并解决此问题。 com.apple.security.temporary-exception.files.absolute-path.read-only True 如果存在 com.apple.security.memory-exception.files.absolute path.read-only 授权,应用商店会接受它吗?我需要做些什么才能访问它?
1
0
563
May ’24
Need to be able to upload non-sandboxed app for verifying a TestFlight related bug
I have an app in the App Store that doesn't need to be sandboxed (it's been in the MAS since 2010, before sandboxing became mandatory for new apps). I have run into an obscure bug that ONLY appears when the app was installed by TestFlight, but not when I run the same executable from before the upload (taken from the very same archive). I suspect it's a bug around the installed receipt or is codesign related, because that's the only things I am aware of that would be changed between my upload and the re-download via TestFlight. To debug this, I have built a small test project that I want to submit to DTS, demonstrating the bug in a clear and direct manner. But when I try to upload it, even for "internal testing" only, the upload gets rejected automatically because it's missing the App Sandbox entitlement. However, if I add the entitlement, then my app won't work, so I cannot enable it. Hence I need to get an exception from App Review so that they allow me test app being uploaded without the sandbox entitlement. I know that's possible because otherwise I'd not be able to upload my regular application, which I did just the other day. How do I get this resolved? Would a member of the App Store team please contact me? The Apple ID for the test project is: 410006334. Or, alternatively, you can also use the newer 6503298614 (I tried the other in hopes it would be allowed not to be sandboxed because I had created it long ago, but that didn't work out).
0
0
430
May ’24
Does macOS clean /tmp dir automatically in app containers?
I know that system /tmp and $TMPDIR are cleaned periodically and on reboot, but what about /tmp directory inside app containers? Because it looks like on macOS Sonoma it is not cleaned automatically and I was wondering if it is by design? And what should I do about it? Should I delete these files manually for existing users or is it possible to somehow nudge macOS into doing it?
2
0
839
May ’24
View count of open SecurityScoped Resources?
Hello, I'm trying to determine if my application is not releasing all security scoped resources and I'm curious if there's a way to view the count of all currently accessed URLs. I am balancing all startAccessingSecurityScopedResource calls that return true with a stopAccessingSecurityScopedResource, but sometimes my application is unresponsive when my mac wakes from sleep. Console logs indicate some Sandboxing issues. Unresponsiveness is resolved by a force-quit and restart of the application. I'd like to try and observe what's going on with the number of Security Scoped resources to get to the bottom of this. Is it possible?
2
0
477
May ’24
Trigger permission dialog for file access from kind of user supplied path.
I have the following situation: My SwiftUI App for macOS is using App Sandbox and is currently configured for read/write access for all the locations selectable in XCode I have added a file selector using a button and NSOpenPanel() to let the user select a folder containing a database file, to which I successfully get permissions using URL.bookmarkData() and URL.startAccessingSecurityScopedResource() I then try to read file paths from the database file and open those but I instantly get a permission error without a permission dialog/prompt appearing In my test I am using paths to files in my iCloud Drive folder I added all file/folder related usage string entries to the Info.plist for testing I think this is weird, since I can paste one of those file:// URLs from the database into a (non-Safari) browser and it shows the native permission dialog/prompt before downloading the file as expected. Is there any usage string that's not shown in the Info.plist Dropdown in XCode that I need to add to my app in order for this to work?
3
0
881
May ’24
Crontab commands are not permitted when sandbox enabled.
For scheduling purpose our Mac application using crontab terminal commands, which are working fine when sandbox is not enabled. For submitting the application to Appstore, we enabled the sandbox option and after that Crontab commands are not working. Getting the error messages as, /bin/sh: /usr/bin/crontab: Operation not permitted. Could you please guide us how to use the crontab commands when sandbox option enabled.
2
0
404
May ’24
App Sandbox blocked my launchPath
I need help, when I run code without a sandbox it works well. however, when I enabled it, it gave me (Thread 3: "launch path not accessible")! How can I fix that? let task = Process() task.launchPath = "/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/Frameworks/python3" task.arguments = ["/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/SectraFix.py", selectedDirectoryURL.path, destinationDirectoryURL.path] let pipe = Pipe() task.standardOutput = pipe task.launch() task.waitUntilExit() let data = pipe.fileHandleForReading.readDataToEndOfFile() if let output = String(data: data, encoding: .utf8) { print(output) }
1
1
606
May ’24