I'm working on a packet-capture GUI application using the pcap library (which uses /dev/bpf0) in XCode 11. When in App Sandbox it fails with the following error:
pcap_open_live failed with error en0: (cannot open BPF device) /dev/bpf0: Operation not permitted
With app sandbox disabled it succeeds.
I set the all of following entitlements but pcap_open_live still failed while sanboxed:
sandbox->incoming connections(server)
sandbox->outgoing connections(client)
Custom network protocol
All 4 network extensions (app proxy, content filter, packet tunnel, dns proxy)
Questions:
1) Is it possible to use pcap/BPF from within the sandbox (with some other entitlement perhaps?)
2) Are the pcap libraries (which are documented in a manpage) considered "non-public API" for purposes of app review guidline 2.5.1 (apps may only use public API's)?
(contingency question if the answers to #1/#2 are bad): Is there another way to capture ethernet frames that is acceptable to the app store?
Note that app review guideline 2.4.5(i) requires that MacOS apps in the app store be appropriately sandboxed.
Thanks!
Darrell
It also makes me wonder if sandboxed apps run as a different "user".
They do not.
Keep in mind that there’s two things blocking you from accessing this dev node from an App Store app:
The permissions on the dev node itself
The sandbox
Monkeying with group owner will help with the former but not the latter.
You might be able to make progress on the latter using a temporary exception entitlement (see the App Sandbox Temporary Exception Entitlements) but my experience is that App Review is very reluctant to let apps use that.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"