Hello,
I have an application which is running sandboxed and it also launches a child processes via posix_spawn. I already learned that child processes are running in the same sandbox as the launching application.
What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship?
My use case is that helper applications doesn't need access to bunch of stuff the parent needs and we want to limit blast radius in case of security problem. I know that's what XPCServices are for, but we have a multi-platform code which is relying on POSIX process model quite heavily.
Thank you
What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship?
No.
Note We don’t support custom sandboxes at all. That’s because, while the sandbox_init routine is public (albeit deprecated) API, the sandbox profile format has never been documented publicly. That doesn’t stop some folks using it though.
I know that's what XPCServices are for
Correct.
we have a multi-platform code which is relying on POSIX process model quite heavily.
I’m sure that’s nothing that another layer of abstraction can’t fix (-:
Seriously, it is possible to pass file descriptors over an XPC connection, so if your abstraction was ‘launch this child process in this environment and give me back some pipes connected to it’, it would be feasible to build that on top of XPC on macOS and Posix APIs on other platforms.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"