Is opening Shared memory allowed in services having App Sandbox Entitlement

I am try to open SYSTEM V Shared Memory in my app which has App sandbox capability/entitlement enabled. But the system is failing at: ftok() function call.

How can I open create a shared memory in such cases, we know we do have a container folder at '~/Library/Containers' where the app has exclusive read write permission. Is there a way to associate a file this container folder to map the shared memory?

Note I want to open a shared memory to be sued between the apps/service which are in same app group. And I am not looking to any alternate sharing method like XPC..

I am creating this shared memory between by App and network extension service.

Up vote post of vismacdeveloper Down vote post of vismacdeveloper
1.6k views
Posted by
vismacdeveloper
Reply
Add a Comment

Accepted Reply

System V IPC is a compatibility API an macOS. We recommend against using it in new code. Given that, it shouldn’t come as a big surprise that it doesn’t have a good story regarding the App Sandbox.

If you want to share memory with that style of API, use Posix shared memory (shm_open and friends). Sandboxed processes can share that via an App Group. See IPC and POSIX Semaphores and Shared Memory in the App Sandbox Design Guide.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I further checked it and found that it is shmget function call which is failing and below is the error in logs:

2022-11-15 11:02:45.051915+0530 0x2da   Error    0x0         132  0  sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: com.mycompanysecur(86334) deny(1) ipc-sysv-shm Violation:    deny(1) ipc-sysv-shm Process:     com.skyhighsecur [86334] Path:      /Library/SystemExtensions/DBAD18A1-0222-46DE-BDCE-C79C93F32254/com.mycompanysecurity.epclient.networkextension.systemextension/Contents/MacOS/com.mycompanysecurity.epclient.networkextension Load Address:  0x1000b8000 Identifier:   com.mycompanysecurity.epclient.networkextension Version:     1 (1.0) Code Type:    x86_64 (Native) Parent Process: launchd [1] Responsible:   /Library/SystemExtensions/DBAD18A1-0222-46DE-BDCE-C79C93F32254/com.mycompanysecurity.epclient.networkextension.systemextension/Contents/MacOS/com.mycompanysecurity.epclient.networkextension User ID:     0

Date/Time:    2022-11-15 11:02:44.963 GMT+5:30 OS Version:   macOS 11.6.5 (20G517) Report Version: 8     

MetaData: {"profile-in-collection":false,"action":"deny","build":"macOS 11.6.5 (20G517)","platform_binary":"no","uid":0,"summary":"deny(1) ipc-sysv-shm","hardware":"Mac","flags":5,"signing-id":"com.mycompanysecurity.epclient.networkextension","errno":1,"process-path":"/Library/SystemExtensions/DBAD18A1-0222-46DE-BDCE-C79C93F32254/com.mycompanysecurity.epclient.networkextension.systemextension/Contents/MacOS/com.mycompanysecurity.epclient.networkextension","profile-flags":0,"container":"/private/var/root/Library/Containers/com.mycompanysecurity.epclient.networkextension/Data","team-id":"W6824P2V89","pid":86334,"apple-internal":false,"process":"com.mycompanysecur","responsible-process-path":"/Library/SystemExtensions/DBAD18A1-0222-46DE-BDCE-C79C93F32254/com.mycompanysecurity.epclient.networkextension.systemextension/Contents/MacOS/com.mycompanysecurity.epclient.networkextension","operation":"ipc-sysv-shm","platform-binary":false,"platform-policy":false}

Is there any way, by adding any new capability or runtime exception we can allow SystemV Shared memory functions/feature in an App With Sandbox capability?

Posted by
vismacdeveloper
Up vote reply of vismacdeveloper Down vote reply of vismacdeveloper
Add a Comment

System V IPC is a compatibility API an macOS. We recommend against using it in new code. Given that, it shouldn’t come as a big surprise that it doesn’t have a good story regarding the App Sandbox.

If you want to share memory with that style of API, use Posix shared memory (shm_open and friends). Sandboxed processes can share that via an App Group. See IPC and POSIX Semaphores and Shared Memory in the App Sandbox Design Guide.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Yes POSIX shared did work, but we need to keep group name very small to make it work Thanks for help

Cheers

Posted by
vismacdeveloper
Up vote reply of vismacdeveloper Down vote reply of vismacdeveloper
Add a Comment