I have an app that runs on macOS Monterey.
For various reasons, I have to externally add a sandbox entitlement (externally, as in using codesign, rather than rebuilding it)
After adding the sandbox entitlement, and resigning appropriately, the app crashes on launch with the following error :
ERROR:process_singleton_posix.cc(1186)] Failed to bind() /var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket
So I assumed I needed to give access to this file. So I added the following entitlements to the app, via codesign :
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/var</string> <string>/var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket</string> </array>
and also
<key>com.apple.security.network.client</key> <true/>
<key>com.apple.security.network.server</key> <true/>
Unfortunately, it still crashes on load, with the same error.
Does anyone know why that is? From my perspective, I gave the appropriate entitlements to bind a socket at that path, what am I missing?
Thanks !
So I assumed I needed to give access to this file.
Sadly, this approach is a non-starter. The message you’re seeing, Failed to bind()
, and the last item of the path, SingletonSocket
, suggests that the app is using a Unix domain socket. The file system temporary exception entitlements, like com.apple.security.temporary-exception.files.absolute-path.read-write
, only work for files (hey, it’s in the name!). So the app will be able to work with files at that path but it won’t be able to work with Unix domain sockets at that path.
A sandboxed app can create Unix domains sockets in its container or in any container that it has access to via an app group. That works just fine, and you can even use it to share the socket between multiple apps from the same team. However, setting that up would require you to change the app’s code.
For various reasons, I have to externally add a sandbox entitlement (externally, as in using codesign, rather than rebuilding it)
That’s going to be really challenging. While you can add the App Sandbox entitlements without changing the code, the code has to actually work in the sandbox. My experience is that any reasonably large app will always have to make code-level changes to support the sandbox. In some cases those changes are minor, but they’re always there.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"