Enabling App Sandbox on a Command line tool

Question

Created Dec ’20

Replies 4

Boosts 1

Views 3.0k

Participants 4

Hi,

I'm trying to build a CLI Tool using Swift to access a usb device I'm developing.

I would like to enable the App Sandbox - USB Entitlement for the tool. But as soon as I enable it and run the app in Xcode the app stops at a breakpoint on the main thread even though I didn't set any breakpoint:

Code Block libsystem_secinit.dylib`_libsecinit_appsandbox.cold.5:
  0x192b730d4 <+0>: pacibsp 
  0x192b730d8 <+4>: sub  sp, sp, #0x30       ; =0x30 
  0x192b730dc <+8>: stp  x20, x19, [sp, #0x10]
  0x192b730e0 <+12>: stp  x29, x30, [sp, #0x20]
  0x192b730e4 <+16>: add  x29, sp, #0x20      ; =0x20 
  0x192b730e8 <+20>: mov  x19, x2
  0x192b730ec <+24>: mov  x20, x0
  0x192b730f0 <+28>: str  x1, [sp]
  0x192b730f4 <+32>: adrp  x2, 0
  0x192b730f8 <+36>: add  x2, x2, #0xf22      ; =0xf22 
  0x192b730fc <+40>: mov  w1, #0x800
  0x192b73100 <+44>: bl   0x192b73580        ; symbol stub for: snprintf
  0x192b73104 <+48>: adrp  x8, 346125
  0x192b73108 <+52>: add  x8, x8, #0x690      ; =0x690 
  0x192b7310c <+56>: stp  x20, x19, [x8]
-> 0x192b73110 <+60>: brk  #0x1

I'm running Xcode 12. This is reproducible simple by creating a new command line project and enabling the sandbox.

Boost

Answer 1

Etresoft OP

Dec ’20

I would like to enable the App Sandbox - USB Entitlement for the tool.

Why?

0

Answer 2

DTS Engineer OP

Apple

Dec ’20

The App Sandbox is, as the name suggests, an app sandbox. It’s not really meant to be used by command-line tools (except for tools embedded in the app that inherit the sandbox from their container app). If you want to publish a tool with the App Sandbox enabled, you’ll have to jump through some hoops. The best approach depends on your specific requirements:

If you just want to use the App Sandbox, you should be able to do that by embedding an Info.plist within your executable (you need this to give your ‘app’ a bundle ID). Use the Create Info.plist Section in Binary (CREATE_INFOPLIST_SECTION_IN_BINARY) build setting.
If you end up needing to use any entitlements that must be allowed by a provisioning profile, you’ll need to place your tool into an app-like wrapper. See Packaging a Daemon with a Provisio….

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

1

Answer 3

DrMickeyLauer OP

Dec ’21

Did you solve your problem? I'm having the same since macOS 12 which seems to have even more stricter rules.

My SPM-based command-line-utility https://github.com/mickeyl/core-bluetooth-tool no longer works due to these rules.

0

Answer 4

DTS Engineer OP

Apple

Dec ’21

My SPM-based command-line-utility … no longer works due to these rules.

Hmmm, that doesn’t make sense. Nothing has change recently in the App Sandbox space. Are you perhaps conflating App Sandbox with TCC?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0