sandbox-exec file-write behaves unexpectedly

hi
I have a rules file like this


(version 1)
(deny default)
...
(allow file-write* (regex "/Users/thomas/Desktop"))


When I use it on app A, it works fine (the app can write to the desktop) but when use it on app B, it doesn't work (the app cannot save a file to the desktop). So I made a test app (app C), a simple cocoa app that just writes a dummy string to a file, and it still doesn't work. If I replace (allow file-write* (regex "/Users/thomas/Desktop")) with (allow file-write*) it works on app B and C too, so I know that's the only thing that's wrong.


So I really don't understand what's going on. How can it work for app A but not for B or C? Especially given that:

  • allowing all file-writes works (so I know the regex is the culprit, even though it works for app A (I tested that the app A can save to Desktop but not to other locations)
  • app C is minimal and is not a "blackbox"
  • I tried tons of different variations: literal instead of regex, "^/Users/thomas/Desktop", "^/Users/thomas/Desktop/" , "^/Users/thomas/Desktop/*", ...
  • apps A, B and C are not sandboxed apps if I run them normally (I can check this in the activity monitor)


Thanks in advance for your help!

Up vote post of thomasjannaudpointfr Down vote post of thomasjannaudpointfr
1.6k views
Posted by
thomasjannaudpointfr
Reply

  • delete this comment

    bswift
Add a Comment

Accepted Reply

why doesn't it work?

I’ve no idea, sorry. I just wanted to make sure you weren’t planning to ship a product based on this.

Would there be other alternatives?

Personally, if I need to run software I don’t trust, I do so in a VM.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Just to be clear, the sandbox profile format is not documented for third party use. Feel free to experiment with this stuff, but please don’t try to ship a product based on it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

maybe undocumented but... why doesn't it work? Would there be other alternatives?
As a context: I have downloaded some software and I would feel better if I could run it with sandbox-exec or something.
Thanks!

Posted by
thomasjannaudpointfr
Up vote reply of thomasjannaudpointfr Down vote reply of thomasjannaudpointfr
Add a Comment

why doesn't it work?

I’ve no idea, sorry. I just wanted to make sure you weren’t planning to ship a product based on this.

Would there be other alternatives?

Personally, if I need to run software I don’t trust, I do so in a VM.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

When developing profiles for sandbox-exec, monitoring sandbox log messages is very helpful to understanding exactly what is being denied. I watch the activity with this command ( that I found in /System/Library/Sandbox/Profiles/com.apple.RemoteManagementAgent.sb ) :

log stream --style compact --info --debug  --predicate '(((processID == 0) AND (senderImagePath CONTAINS "/Sandbox")) OR (subsystem == "com.apple.sandbox.reporting"))'

I've created profiles to add a layer of security when building open source apps, without the inconvenience and overhead of running in a VM. They are available at https://github.com/BrianSwift/macOSSandboxBuild

Posted by
bswift
Post not yet marked as solved Up vote reply of bswift Down vote reply of bswift
Add a Comment