Problem with Sandboxing and opening a file

Hi all.


I have a problem with the sandbox. I would like to run a simple shell command on a file I select with an "open" dialog, and I receive the usual "xcrun: error: cannot be used within an App Sandbox".


Basically my code does this:


if (targetFilePath != ""){
            let path = "/usr/bin/strings"
            let arguments = [targetFilePath]
            let task = Process()
            task.arguments = arguments
            task.executableURL = URL(fileURLWithPath: path)
            let outputPipe = Pipe()
            let errorPipe = Pipe()


            task.standardOutput = outputPipe
            task.standardError = errorPipe


            do {
                try task.run()
                let outputData = outputPipe.fileHandleForReading.readDataToEndOfFile()
                let errorData = errorPipe.fileHandleForReading.readDataToEndOfFile()
                let output = String(decoding: outputData, as: UTF8.self)
                let error = String(decoding: errorData, as: UTF8.self)
                let outputString = "\(path) \(targetFilePath)\nSTDOUT: \(output)\n\nSTDERR: \(error)"
                outputField.string = outputString
            } catch {
                outputField.string="Error somewhere"
            }
        } else {
            outputField.string = "Choose a file!"
        }


outputField being a normal text field, and targetFilePath is a global variable of type String. The entitlements I have chosen are as follows:


<dict>
  <key>com.apple.security.app-sandbox</key>
  <true/>
  <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
  <true/>
  <key>com.apple.security.cs.debugger</key>
  <true/>
  <key>com.apple.security.cs.disable-executable-page-protection</key>
  <true/>
  <key>com.apple.security.cs.disable-library-validation</key>
  <true/>
  <key>com.apple.security.files.downloads.read-only</key>
  <true/>
  <key>com.apple.security.files.user-selected.read-write</key>
  <true/>
  <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
  <true/>
</dict>


Did I miss something? I understood that choosing a file from the Dialog would give my app the permissions to access it.


What am I doing wrong?


Thanks

Up vote post of gbiondo Down vote post of gbiondo
743 views
Posted by
gbiondo
Reply
Add a Comment

Replies

The problem here is that 

/usr/bin/strings
is not the implementation of the 
strings
command, but rather a trampoline that bounces to the equivalent command built in to your currently selected Xcode [1], or command-line tools package [2], or the base OS. This trampoline contains a specific check to see whether it’s running within the App Sandbox and refuses to run in that case. You can avoid this by running the real tool from the location that 
xcrun
would resolve to, but there are many drawbacks to that.

What’s your distribution model here? Given that 

strings
isn’t built in to the base OS, it’s hard to imagine you trying to distribute this to normal users, and distributing to normal users via the Mac App Store is the most common reason that folks sandbox their app.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] For example, 

/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/strings
.

[2] For example, on 10.15, this would be 

/Library/Developer/CommandLineTools/usr/bin/strings
.

[3] On 10.15 these tools are in 

/usr/libexec/DeveloperTools
. This isn’t relevant for 
strings
though, because there’s no version of 
strings
installed in the base OS.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your answer.

My question now becomes: if you would like to extract strings from a binary file, then, how would you do it without using the strings utility?

As for the reasons for sandboxing: at the end of the day, sandboxing is the right thing to do, so I want to use it.

Posted by
gbiondo
Up vote reply of gbiondo Down vote reply of gbiondo
Add a Comment

if you would like to extract strings from a binary file, then, how would you do it without using the 

strings
utility?

That depends. If you’re targeting arbitrary binary files, I’d probably just write the code myself. The algorithm used by 

strings
is very simplistic; see the bottom of this file for the current implementation. There’s a bunch of other code in that file but most of it is to handle Mach-O images correctly, so you can ignore unless you’re specifically interested in Mach-O.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment