I need to embed a shell command inside an app. They way I am currently solving this is by using Automator.app.
It runs well enough except that it feels wrong security-wise because the resulting app has no hardened runtime, no sandbox.
I tried to emulate what Automator.app does directly in xcode, by selecting the proejct template "Command line tool". However, as soon as I enable the app sandbox, it crashes. I can still get the hardened runtime though.
So a few quick questions:
-
Are sandbox only to protect against the app itself (in which case I should not worry because I trust my own code), or - similarly to hardened runtime - it also protects against attacks on the app ?
-
I tried using the template "app". That obviously allows sandboxes, but that is not what I want because there is a GUI
-
any thoughts on the best way to solve my original goal?
Thanks!