Sandbox app wrapping shell command

I need to embed a shell command inside an app. They way I am currently solving this is by using Automator.app.

It runs well enough except that it feels wrong security-wise because the resulting app has no hardened runtime, no sandbox.

I tried to emulate what Automator.app does directly in xcode, by selecting the proejct template "Command line tool". However, as soon as I enable the app sandbox, it crashes. I can still get the hardened runtime though.

So a few quick questions:

  1. Are sandbox only to protect against the app itself (in which case I should not worry because I trust my own code), or - similarly to hardened runtime - it also protects against attacks on the app ?

  2. I tried using the template "app". That obviously allows sandboxes, but that is not what I want because there is a GUI

  3. any thoughts on the best way to solve my original goal?

Thanks!

Sandbox app wrapping shell command

See Embedding a Command-Line Tool in a Sandboxed App.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the link. I saw this, but this is not exactly the use case : I was hoping to have only a simple command line tool, not embedded inside an app. I guess it's not really possible.

I was hoping to have only a simple command line tool, not embedded inside an app.

I’m sorry but I don’t understand this. Perhaps you could walk me through a typical user-level scenario of what you’re trying to achieve?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Well, let's imagine I have a python script that does something easy to do in python, but hard in swift : script.py

I would like to run this python script on a macOS system, but to protect the python process against tempering, I would like this python process to have a hardened runtime.

In the link you sent, there is a fully fledged app, in addition to the script. So I was wondering if there was a simpler way to do this, without the full app.

Also, with the technique described in the link, I don't know if the runtime of command-line tool itself is actually protected with hardened runtime?

Sandbox app wrapping shell command
 
 
Q