App makes network connection despite entitlements

I have noticed this issue on BigSur that did not happen on Catalina:

An app is attempting to establish a network connection, despite the following entitlements:

<key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.network.client</key> <false/>

An outbound firewall is preventing it, but my understanding is that these entitlements should prevent entirely the app from making connections.

Has this changed under BigSur?

Answered by DTS Engineer in 686480022

when I remove the line entirely (but keep the sandbox entitlement), it seems it is not making network connections.

Cool.

is that entitlement broken?

I think that depends on your perspective. At a practical level, adding an entitlement with the default value is pointless. At best it does nothing (except waste bytes on disk and the energy required to process it). In the worst case it may trigger implementation oddities like this one.

At a theoretical level I agree that we should honour the value in the entitlement. However, I can’t recommend that you file a bug about the current behaviour because we can’t change it without the risk of binary compatibility problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If you remove the com.apple.security.network.client entitlement entirely, rather than setting it to false, what do you see?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Eskimo, thanks for your help.

when I remove the line entirely (but keep the sandbox entitlement), it seems it is not making network connections.

(I am not entirely sure because the network connections are only sporadic, but that seems to be the case).

That is odd, is that entitlement broken?

Accepted Answer

when I remove the line entirely (but keep the sandbox entitlement), it seems it is not making network connections.

Cool.

is that entitlement broken?

I think that depends on your perspective. At a practical level, adding an entitlement with the default value is pointless. At best it does nothing (except waste bytes on disk and the energy required to process it). In the worst case it may trigger implementation oddities like this one.

At a theoretical level I agree that we should honour the value in the entitlement. However, I can’t recommend that you file a bug about the current behaviour because we can’t change it without the risk of binary compatibility problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It feels like a pretty serious bug to me. This entitlement is meant for safety, and it seems that the code underpinning it is broken.

I feel I should file a bug report to prevent

  1. Other developers building apps with that entitlements set as false, not knowing this fails
  2. Other bugs in that code (a bug might hide others)

I understand your point about binary compatibility, but at the very least a warning on the documentation page not to explicitly set the value as false would be useful.

Ultimately, I'll rely on your judgement though, what do you think?

Ah, I have digged a bit further. If I resign the app with the original entitlements, then it works properly. So it seems the issue was a compatibility one: apps signed in older version of macOS do not honor the entitlement. Simply resigning under the new OS seems to solve the problem.

App makes network connection despite entitlements
 
 
Q