For some years I have developed and maintained a SwiftUI based app as GUI ontop of the command line tool rsync. The app is available on HomeBrew and works as expected, included using rsync command line tool from HomeBrew. I have now developed a new GUI, a downscale version of the original app, using SwiftData and using only the default rsync in /usr/bin/rsync. No access to remote servers by ssh-keys, only local attached disk on your Mac. SwiftData is used for storing data about synchronise tasks and log records from run. The app works, but as soon as I enable the App Sandbox, the app does not permit to executed default included command line tool from /usr/bin. The GUI app executes the command line tool by a Swift Process object.

My sandboxed macOS app requires the user to grant permission under Privacy & Security / Accessibility in order to support extra functionality. If no permission is granted the app can still be used albeit with very basic functionality. In order to allow the user NOT to have to immediately decide whether to grant this permission when first launching the app, a dialog allows them to say “I’ll do it later”. As such, the app uses a timer with a one second interval to ask the system if permission has been granted and if so, implements the extra functionality. By the way, I would rather have used a notification instead of a timer, but there does not seem to be one. // Schedule a timer to periodically check accessibility status accessibilityTimer = Timer.scheduledTimer(timeInterval: 1.0, target: self, selector: #selector(checkAccessibilityStatus), userInfo: nil, repeats: true) func isAccessibilityEnabled() -> Bool { let accessibilityEnabled = AXIsProcessTrusted() return accessibilityEnabled } @objc func checkAccessibilityStatus() { if isAccessibilityEnabled() { print("Accessibility is enabled.") accessibilityTimer?.invalidate() if gEventTap == nil { tapper()//as003 gTypeIt4MeMenu?.item(at: kPauseResumeItem)?.title = "Pause" gStatusItem?.button!.image = NSImage(named: "menubar_icon_16x16") NotificationCenter.default.post(name: NSNotification.Name(rawValue: "showGreenTick"), object: nil) } } else { print("Accessibility is disabled.") } } My problem is that when I build the app with my development certificate, it runs as expected. However, when I upload it to TextFlight and download from there, it no longer “notices” when I grant it permission.

To restrict outgoing connections, I've ensured that the following key in not present in the entitlement file: <key>com.apple.security.network.client</key> <true/> The api calls made using URLSession and WKWebView are restricted as expected, but the same is not the case with MKMapView. The map content and the directions api are able to make outgoing network calls. Please let me know if it's possible to reliably restrict outgoing network connections in a sandboxed app?

I accidentally deleted the DerivedData folder while trying to delete the files to reset the cache. Now Xcode returns following errors regarding with this folder. I'm using Flutter and Android Studio but building on Xcode to run my app on iPhone. This project is a ongoing and quite mature project so I have to solve these error. When I open a brand new project in Flutter, it works fine without any error. Error # 1 : Sandbox: rsync.samba(12046) deny(1) file-write-create /Users/mycompany/Library/Developer/Xcode/DerivedData/Runner-bfdtmaowyaodbagkvttzeqjhiwjl/Build/Products/Debug-iphonesimulator/Flutter.framework Error # 2 : Sandbox: dart(12019) deny(1) file-write-create /Users/mycompany/Library/Developer/Xcode/DerivedData/Runner-bfdtmaowyaodbagkvttzeqjhiwjl/Build/Products/Debug-iphonesimulator/.last_build_id Error # 3 : Flutter failed to write to a file at "/Users/mycompany/Library/Developer/Xcode/DerivedData/Runner-bfdtmaowyaodbagkvttzeqjhiwjl/Build/Products/Debug-iphonesimulator/.last_build_id".

According to https://developer.apple.com/documentation/security/app_sandbox/discovering_and_diagnosing_app_sandbox_violations it is possible to view detailed violation reports for non-system services. Is it possible to do something similar for system services? I have encountered an issue where several (all?) of my Macbooks get into a sandbox violation situation (I assume). Below is in excerpt from logs focusing just on the sandbox violation. The errors are surrounded by XPC failures and errors. error 23:23:21.382263+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:24.385962+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:27.389910+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:36.408940+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:45.419593+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:54.432109+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence The above is just an except, and it seems that Family, imagent and searchpartyuseragent are trying to access com.apple.contactsd.persistance once per second or so and failing (there are also some attempts to reach com.apple.timed.xpc, but an insignificant amount in comparison to com.apple.contactsd.persistance). This in turn causes Diagnostics Reporter to start, and then end hastily almost every ten seconds. fault 23:23:05.903908+0100 Diagnostics Reporter Invalid launch. fault 23:23:16.038017+0100 Diagnostics Reporter Invalid launch. fault 23:23:26.136348+0100 Diagnostics Reporter Invalid launch. fault 23:23:36.274543+0100 Diagnostics Reporter Invalid launch. fault 23:23:46.414546+0100 Diagnostics Reporter Invalid launch. I have no idea how I did this, but I seemed to have messed up sandbox access rights to contacts for some system services?

Hey! Im new here and currently learning iOS/macOs development (SwiftUI), so...take me easy :) I want to create a simple macOS app to let user set time until computer power off. I found an example with AppleScript and use it on my app, but I found that App won't run with Sandbox enabled, and to deploy app on AppStore it show me that Sandbox must be enabled. The script I want to use: 'tell application "System Events" to shut down' I found some examples that add script onAbsolute path, but after I do that, it won't let me to distribute the app, only export to run local. It is any way to make script running (no matter, if app ask for user permission/admin pass) ?

I recently reset my machine to factory settings to start the year fresh and installed Xcode 15.1 on my Macbook Air M1. I was trying to run, build, archive a project and ran into a recommended settings pop-up that I unfortunately dismissed. Now I am not sure how to locate it or trigger it back so I can update it appropriately. Can someone advise? Thanks in advance!

Is setting "Enable App Sandbox : Yes" required for distributing an app to the App Store? I'm building my first app, a game, and can only test on my physical device with the Sandbox set to No. I can run it on the emulators with Sandboxing enabled. I'm still using the free developer account and will be enrolling in the paid account once 2024 arrives.

Electron app builded successfully with electron forge and @electron/osx-sign. But it crash when startup and get crash log below: Time Awake Since Boot: 320000 seconds Time Since Wake: 9200 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000002, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Trace/BPT trap: 5 Termination Reason: Namespace SIGNAL, Code 0x5 Terminating Process: exc handler [95916] Thread 0 Crashed:: Dispatch queue: com.apple.main-thread if I use custom entitlements, it shows: Time Awake Since Boot: 310000 seconds Time Since Wake: 8600 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [93221] Application Specific Information: dyld: launch, running initializers /usr/lib/libSystem.B.dylib Could not set sandbox profile data: Operation not permitted (1) Application Specific Signatures: SYSCALL_SET_PROFILE here is entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> </dict> </plist> inherit entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> </plist> what can I do to resolve it?

I'm distributing my app in zip format. But stuck in app update? My app self-detects for the latest version. If yes, then launch other non-appsandbox app that download the latest version, and then replace the old app (in the /Applications directory) with the new one. It works correctly. But once I made the Updater app a Sandbox app, it did not allow me to replace the app. Error: You don’t have permission to save the file “ESPlus” in the folder "Applications.”

I am creating a MacOS app embedding the QuickLook extension in it. The other day, I uploaded it to App Store Connect and had it reviewed. But it was rejected due to the following reason. Your app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issue before resubmitting a new binary. com.apple.security.temporary-exception.files.absolute-path.read-only / This entitlement is also included in my app's meta data on my account page of App Sore Connect. Including it, I can find the following two entitlements related to "temporary-exception" in the meta data. com.apple.security.temporary-exception.files.absolute-path.read-only: ( "/" ) com.apple.security.temporary-exception.mach-lookup.global-name: ( "com.apple.testmanagerd", "com.apple.dt.testmanagerd.runner", "com.apple.coresymbolicationd" ) To tell the truth, about Sandbox entitlements for QuickLook extension, what I intentionally set on the Xcode project are the next two items only. And actually I have not ever recognized that the entitlements related to "temporary-exception" above are included in my app's bundle. com.apple.security.app-sandbox: true com.apple.security.files.user-selected.read-only: true I think these "temporary-expection" entitlements are essential ones for the QuickLook extension and it looks like that Xcode automatically attached them in the process of creating app's build. If they are forced to be attached by getting the QuickLook extension sandboxed, I don't know what I should do. Although I explained my thought to the reviewer, but I could not change the situation. Is there no way to get solution besides removing the QuickLook extension from my app ?

I’m trying to implement XPC Rendezvous like Quinn described in many awesome posts on here but I’m now at a stuck point were I just have no idea. I want to communicate with a Safari extension via XPC and also a helper application which led me to XPC Rendezvous (https://developer.apple.com/forums/thread/715338) because a XPC Service in the Extension is scoped to the container. I then made a Command Line Target and added it like its described here (https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app ) and also took the xpc test code and inspiration to set up my launch agent from here (https://developer.apple.com/documentation/servicemanagement/updating_your_app_package_installer_to_use_the_new_service_management_api). This command line tool should do the management for the XPC connections because it’s not in the sandboxed container. The tool sets up the xpc connection like in the sample code directly and not in a XPC Service added via a Target template. It exposes the Mach Service. And that looks like its building fine after some fighting but the service just wont start - I saw it trying in console and after running it in Xcode and finally finding the crash report - it brought me there (https://developer.apple.com/forums/thread/706390) I have Process is not in an inherited sandbox. - and thinking about it, it makes sense because I first thought its just because it ran through Xcode, but its crashing this way also as a LaunchAgent. I mean it does make sense - there is nothing to inherit because it’s spawned by launchd - and that’s what I want isn’t it - to make the Rendezvous? Okay I thought now removing com.apple.security.inherit brings it in its own Sandbox (its needs sandboxing) but this also crashes the process because of the sandbox. Also after adding it to the App Group. What am I missing here or what do I want to accomplish? Do I want to inherit the sandbox? I guess not the helper should have its own. The only difference I see in comparison to SMAppServiceSampleCode is it moves the product in Copy Bundle Resources, and I have a Copy Files Phase with Destination: Executables (Like the other sample code said - and that’s looks “more correct” - and well SMAppServiceSampleCode isn’t sandboxed. I then tried making a new Command Line Target and just added App Sandbox Capability and tried to run this fresh one - and that also crashes. This makes me think I’m just ****** somewhere but I have read now everything I could find. I’m happy to provide any Code or crash logs but I dont know what part is really relevant here, It looks like the LaunchAgent gets installed correctly and wants to run but the sandbox is preventing me. The Bundle Identifier and XPC device name of the helper starts with my teamID (I got that from here https://developer.apple.com/forums/thread/703702) What could I be doing wrong? Thanks a lot! Benjamin

Hi there! I am trying to publish a macOS app on App Store, thus the app must be sandboxed. The app is built with Electron and electron-builder. A tool of the app needs to run a local web server, to do so a java runtime and a .jar file are downloaded during runtime and the server is started using spawn. In the MAS version of the app, running from TestFlight, I get EPERM error when spawn is called. Both java's runtime and .jar are downloaded to app's container. I have tried also downloading them to outside the container (by saving them in the directories that are symlinked to outside of it) by I get the same error. How could I solve that issue?

Context I'm using the NSFileCoordinator &amp; NSFilePresenter in a sandboxed application to access SQLite database files and their secondary files (e.g. WAL or journal files) as per https://developer.apple.com/documentation/foundation/nsfilepresenter/1415415-primarypresenteditemurl E.g. something similar to this: var presenters: [NSFilePresenter] = ["wal", "journal", "shm"].map { ext in let presenter = SQLiteTempFilePresenter(databaseId: databaseContext.id, sqliteMainFile: url, newExt: ext) // addFilePresenter needs to be balanced with a `removeFilePresenter`. See SQLiteTempFilePresenter#deinit NSFileCoordinator.addFilePresenter(presenter) return presenter } That way there will be a NSFilePresenter for each possible secondary SQLite file (e.g. with the main file being foo/bar/database.sqlite there will be presenter for each of the secondary files foo/bar/database.sqlite-shm and foo/bar/database.sqlite-wal) Using NSFilePresenter to work with SQLite files within the Sandbox environment works as expected. Desired change I'd like to expand the usage of NSFileCoordinator to react to changes to the SQLite files that happen outside of the application. To achieve that I added an additional NSFilePresenter for the main file (e.g. foo/bar/database.sqlite) that has a func presentedItemDidChange() method. That method does get called when I change the corresponding SQLite file (e.g. by using the sqlite3 command line tool). So far so good. But in WAL mode (https://www.sqlite.org/wal.html), changes to the SQLite file don't immediately change the file itself but get written to the write-ahead-log first (e.g. foo/bar/database.sqlite-wal in this example). Only when the outside connection is closed, will the changes be committed to the main SQLite file itself. At which point the NSFilePresenter#presentedItemDidChange() method will be called. So I also like to be notified when the secondary files change. Adding a presentedItemDidChange() callback method to the SQLiteTempFilePresenter instances for the secondary files does not seem to work, the method never gets called even though the corresponding secondary files change. Questions If I add another instance of the NSFilePresenter for each of the secondary files, the callback presentedItemDidChange() gets called for the secondary files as well. Having two different instance of the NSFilePresenter for a single URL (one for sandboxing purposes, the other for being notified of file changes) seems a bit fishy though. Is that the intended (or at least an acceptable) way of using NSFilePresenter? The documentation for NSFilePresenter states that "If another process uses a file coordinator for the same file or directory, your presenter objects are similarly notified whenever the other process makes its changes." I do get notified though when using the sqlite3 command line tool which does not use a NSFileCoordinator. Is there any documentation that explains that behaviour? I mean it's great that it seems to work but I'd like to understand why.

We're doing some disaster recovery management / risk management and a point-of-failure for our app is if we lose access to our bundle id. From my understanding, secure keychain items are scoped to your bundle ID as well as iCloud files stored under the app with 'hidden' scope. Losing our bundle ID is a scenario we want to eliminate completely from our threat/disaster modelling. Is this a realistic concern we should have?

Hello, I am trying to create a dmg file by launching hdiutil through my swift program. This swift program is sandboxed. Here is what i've done: let hdd_file:String = NSHomeDirectory() + "hdd.dmg.sparseimage" let process = Process() process.launchPath = "/usr/bin/hdiutil" process.arguments = ["create", "-size", "30g", "-fs", "'APFS'", "-volname", "myvolume", "-type", "SPARSE", hdd_file] let pipe = Pipe() process.standardOutput = pipe process.launch() let data = try pipe.fileHandleForReading.readToEnd() print(data) I get this error: hdiutil: create failed - Device not configured I don't understand why i get this error because the dmg file is created in application's sandbox home directory. Or maybe hdiutil is forbidden but i am just creating a dmg file. I am not trying to mount a device. Do you have any idea of how i can create a dmg file from my sandboxed application ? Thanks

I've encountered an issue while working on a macOS project involving Camera extension, specifically related to NSPasteboard. I want to use NSPasteboard for sending string type data from app to Camera Extension. Strangely, the exact same code that works flawlessly with NSPasteboard in a DAL plugin doesn't seem to work when implemented in a camera extension. To clarify, I can access the exact same pasteboard using the identical code in the DAL plugin and in an App, but when attempting the same in the camera extension, it doesn't behave as expected. Below is the code snippet I'm using in the camera extension: let pasteboardExtension = NSPasteboard(name: NSPasteboard.Name(rawValue: "com.example.myextension")) if let items = pasteboardExtension.readObjects(forClasses: [NSString.self], options: nil) as? [String] { NSLog("Received items in extension: \(items)") } else { NSLog("No items received in extension") } I've thoroughly reviewed the documentation without finding a resolution. Has anyone else faced a similar discrepancy between NSPasteboard behavior in DAL plugins and camera extensions? I'm reaching out for advice, insights, or potential workarounds from the community. If you have successfully addressed a similar issue or have any information that might shed light on this situation, your input would be greatly appreciated. Does Camera Extension support NSPasteBoard?

Context I have an app that uses the container for two things: store a realm database, and store a log.txt file with some debugging logs for myself. The realm database path is set via Realm.Configuration.defaultConfiguration The log.txt file path is set with FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0].appendingPathComponent("log.txt") I already have released and distributed the version 1 to a few users. Given the complexity around signing an app in Xcode, the app was released and distributed unsigned. And now I'm trying to release the version 2 signed, but here's when I'm getting this weird issue. All unsigned apps (version 1, and the unsigned version 2) are using as container the path ~/Library/Containers/com.dgrcode.{appName}/Data. The signed version 2, however, is using ~/ as the container. So for example log.txt is located at: unsinged apps: ~/Library/Containers/com.dgrcode.{appName}/Data/Documents/log.txt. signed app: ~/Documents/log.txt Realm's default.realm file is located at: unsigned apps: ~/Library/Containers/com.dgrcode.{appName}/Data/Library/Application Support/default.realm signed app: I haven't found it yet 😓 The obvious problem is that any user from version 1 that installs version 2 signed, will start using a new database instead of continuing using the existing database. And obviously having my app's data spread through their ~/ directory is far from ideal. Here's what I get when I run codesign -v -d on the first version (everything between {} has been redacted for clarity: Executable={/path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=56564 flags=0x10002(adhoc,runtime) hashes=1757+7 location=embedded Signature=adhoc Info.plist entries=29 TeamIdentifier=not set Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=2 Internal requirements count=0 size=12 Where I think the most relevant part is the Signature=adhoc and TeamIdentifier=not set. Now I archive a version 2 of the app. I make a copy and I sign only one of them using codesign -v --sign. I package them inside a .dmg (not sure if this affects anything, but just in case), and check the .app inside each of the .dmg after mounting them. Here's the result of codesign -v -d for each one: unsigned: Executable={path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=57452 flags=0x2(adhoc) hashes=1785+7 location=embedded Signature=adhoc Info.plist entries=31 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=4 Internal requirements count=0 size=12 signed Executable={path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=57335 flags=0x0(none) hashes=1785+3 location=embedded Signature size=4798 Signed Time=13 Nov 2023 at 12:17:24 Info.plist entries=31 TeamIdentifier=2W564BCY7Z Sealed Resources version=2 rules=13 files=4 Internal requirements count=1 size=188 The unsigned app works as expected. When I open the unsigned app, it continues using the realm database in the previous location ~/Library/Containers/com.dgrcode.{appName}/Data, and I can see the log.txt update its content. The signed app, however, doesn't use the same database, and is no longer writing to the log.txt file at ~/Library/Containers/com.dgrcode.{appName}/Data, but it's writing at ~/Documents/log.txt instead. It does use a database, but I have no clue where it is. Questions How can I make the signed app use the path ~/Library/Containers/com.dgrcode.{appName}/Data/ as its container lcoation? How can something like this happen just by signing the .app?

I'm using Flutter for creating app and I need to run a file with arguments from dart code (This file is in the app's container) on MacOS. How can I do it in a sandbox? I don't want to disable sandbox because then i can't publish app in App Store. I tried this code ProcessResult result = await Process.run(path, [-pa], includeParentEnvironment: true); but I'm getting error: ProcessException: Operation not permitted. Also, I saw thing called "Embedding a command-line tool in a sandboxed app", but I don't know how to do it in my case.

I'm encountering an intermittent issue while trying to run safaridriver on macOS Sonoma. Here are the details of the problem: I ran sudo /usr/bin/safaridriver -p0 --enable in the beginning. After that when I run this multiple times /usr/bin/safaridriver -p0, I sometimes receive an "Operation not permitted" error, but not consistently. This issue seems to occur intermittently. I've checked the sudo logs, and I see the following error message: kernel: (Sandbox) Sandbox: com.apple.WebDriver.HTTPService(2049) deny(1) user-preference-write com.apple.WebDriver.HTTPService cfprefsd: (CoreFoundation) [com.apple.defaults:cfprefsd] rejecting write of key(s) MobileDeviceRemoteXPCEnabled in { com.apple.WebDriver.HTTPService, nimish, kCFPreferencesAnyHost, /Users/nimish/Library/Preferences/com.apple.WebDriver.HTTPService.plist, managed: 0 } from process 2049 (com.apple.WebDriver.HTTPService) because setting these preferences requires user-preference-write or file-write-data sandbox access cfprefsd: (CoreFoundation) [com.apple.defaults:cfprefsd] Couldn't open parent path due to [2: No such file or directory kernel: (Sandbox) Sandbox: com.apple.WebDriver.HTTPService(2049) deny(1) network-bind local:*:7055 com.apple.WebDriver.HTTPService: (WebDriver) [com.apple.WebDriver:WebService] Error starting HTTP server listening on localhost:0: Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedDescription=Operation not permitted, NSLocalizedFailureReason=Error in bind() function} com.apple.WebDriver.HTTPService: (WebDriver) [com.apple.WebDriver:XPCService] Client connection invalidated for some reason I am getting this on Mac Os Sonoma Can anybody please help on this?