Sandbox app wrapping shell command

I need to embed a shell command inside an app. They way I am currently solving this is by using Automator.app.

It runs well enough except that it feels wrong security-wise because the resulting app has no hardened runtime, no sandbox.

I tried to emulate what Automator.app does directly in xcode, by selecting the proejct template "Command line tool". However, as soon as I enable the app sandbox, it crashes. I can still get the hardened runtime though.

So a few quick questions:

  1. Are sandbox only to protect against the app itself (in which case I should not worry because I trust my own code), or - similarly to hardened runtime - it also protects against attacks on the app ?

  2. I tried using the template "app". That obviously allows sandboxes, but that is not what I want because there is a GUI

  3. any thoughts on the best way to solve my original goal?

Thanks!

Up vote post of devfunshark Down vote post of devfunshark
1.6k views
Posted by
devfunshark
Reply
Add a Comment

Replies

Sandbox app wrapping shell command

See Embedding a Command-Line Tool in a Sandboxed App.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the link. I saw this, but this is not exactly the use case : I was hoping to have only a simple command line tool, not embedded inside an app. I guess it's not really possible.

Posted by
devfunshark
Up vote reply of devfunshark Down vote reply of devfunshark
Add a Comment

I was hoping to have only a simple command line tool, not embedded inside an app.

I’m sorry but I don’t understand this. Perhaps you could walk me through a typical user-level scenario of what you’re trying to achieve?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Well, let's imagine I have a python script that does something easy to do in python, but hard in swift : script.py

I would like to run this python script on a macOS system, but to protect the python process against tempering, I would like this python process to have a hardened runtime.

In the link you sent, there is a fully fledged app, in addition to the script. So I was wondering if there was a simpler way to do this, without the full app.

Also, with the technique described in the link, I don't know if the runtime of command-line tool itself is actually protected with hardened runtime?

Posted by
devfunshark
Up vote reply of devfunshark Down vote reply of devfunshark
Add a Comment