Running a third-party executable in the sandbox: App-embeded binary trys to do something not permitted in the sandbox..

Hi,

I am now facing difficulties in sandboxing my app to distribute it at the App Store.

My app contains a binary executable that is distributed by a third party.

The executable was codesigned with a file for entitlements that contains exactly two App Sandbox entitlement keys:
  1. com.apple.security.app-sandbox, and

  2. com.apple.security.inherit,

and associated values are 'YES.'


The main app has four Keys:
  1. App Sandbox,

  2. com.apple.security.files.user-selected.read-write,

  3. com.apple.security.network.client,

  4. com.apple.security.network.server,

and associated values are 'YES'.


To prevent injection of 'com.apple.security.get-task-allow' entitlement, 'Code Signing inject Base Entitlements' in the Signing pane of the Build Settings tab was set to 'NO'.

NSTask Launching of the binary with the NSHomeDirectory() as a current directory seems successful, but the binary returns a message to the standard error: 'Error: mdbenvopen: Operation not permitted' and the standard output says that files were not created.

The addition of an entitlement key 'com.apple.security.temporary-exception.files.absolute-path.read-write' with an associated array containing a string '/' did not work, hinting that the error is not from writing or reading of files but possibly from executing something.

Are those entitlement settings correct? Is it possible to find the offending action of the executable that is not permitted and to configure the sandbox to allow that action?

I would appreciate any hints or comments.
Answered by yohtsubo in 649363022
I found that replacing the executable with an older version of it solved the problem. Up-versioning of Xcode (now I am using Version 11.3.1) may also work.
Maybe try replacing that 3rd party tool with one of your own that creates files with the same name, or dummy files. You can then add debug statements in your file and figure out what is going wrong.
Thank you for your post. I did as you suggested, and my own executable worked fine, successfully creating a file in the container directory.

I did as you suggested, and my own executable worked fine, successfully creating a file in the container directory.

You'll have to contact the developer then.


Accepted Answer
I found that replacing the executable with an older version of it solved the problem. Up-versioning of Xcode (now I am using Version 11.3.1) may also work.
Running a third-party executable in the sandbox: App-embeded binary trys to do something not permitted in the sandbox..
 
 
Q