3 Replies
      Latest reply on May 27, 2020 1:39 AM by eskimo
      gbiondo Level 1 Level 1 (0 points)

        Hi all.

         

        I have a problem with the sandbox. I would like to run a simple shell command on a file I select with an "open" dialog, and I receive the usual "xcrun: error: cannot be used within an App Sandbox".

         

        Basically my code does this:

         

        if (targetFilePath != ""){
                    let path = "/usr/bin/strings"
                    let arguments = [targetFilePath]
                    let task = Process()
                    task.arguments = arguments
                    task.executableURL = URL(fileURLWithPath: path)
                    let outputPipe = Pipe()
                    let errorPipe = Pipe()
        
        
                    task.standardOutput = outputPipe
                    task.standardError = errorPipe
        
        
                    do {
                        try task.run()
                        let outputData = outputPipe.fileHandleForReading.readDataToEndOfFile()
                        let errorData = errorPipe.fileHandleForReading.readDataToEndOfFile()
                        let output = String(decoding: outputData, as: UTF8.self)
                        let error = String(decoding: errorData, as: UTF8.self)
                        let outputString = "\(path) \(targetFilePath)\nSTDOUT: \(output)\n\nSTDERR: \(error)"
                        outputField.string = outputString
                    } catch {
                        outputField.string="Error somewhere"
                    }
                } else {
                    outputField.string = "Choose a file!"
                }
        

         

        outputField being a normal text field, and targetFilePath is a global variable of type String. The entitlements I have chosen are as follows:

         

        <dict>
          <key>com.apple.security.app-sandbox</key>
          <true/>
          <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
          <true/>
          <key>com.apple.security.cs.debugger</key>
          <true/>
          <key>com.apple.security.cs.disable-executable-page-protection</key>
          <true/>
          <key>com.apple.security.cs.disable-library-validation</key>
          <true/>
          <key>com.apple.security.files.downloads.read-only</key>
          <true/>
          <key>com.apple.security.files.user-selected.read-write</key>
          <true/>
          <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
          <true/>
        </dict>
        

         

        Did I miss something? I understood that choosing a file from the Dialog would give my app the permissions to access it.

         

        What am I doing wrong?

         

        Thanks

        • Re: Problem with Sandboxing and opening a file
          eskimo Apple Staff Apple Staff (13,945 points)

          The problem here is that /usr/bin/strings is not the implementation of the strings command, but rather a trampoline that bounces to the equivalent command built in to your currently selected Xcode [1], or command-line tools package [2], or the base OS.  This trampoline contains a specific check to see whether it’s running within the App Sandbox and refuses to run in that case.  You can avoid this by running the real tool from the location that xcrun would resolve to, but there are many drawbacks to that.

          What’s your distribution model here?  Given that strings isn’t built in to the base OS, it’s hard to imagine you trying to distribute this to normal users, and distributing to normal users via the Mac App Store is the most common reason that folks sandbox their app.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          [1] For example, /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/strings.

          [2] For example, on 10.15, this would be /Library/Developer/CommandLineTools/usr/bin/strings.

          [3] On 10.15 these tools are in /usr/libexec/DeveloperTools.  This isn’t relevant for strings though, because there’s no version of strings installed in the base OS.

            • Re: Problem with Sandboxing and opening a file
              gbiondo Level 1 Level 1 (0 points)

              Thanks for your answer.

              My question now becomes: if you would like to extract strings from a binary file, then, how would you do it without using the strings utility?

              As for the reasons for sandboxing: at the end of the day, sandboxing is the right thing to do, so I want to use it.

                • Re: Problem with Sandboxing and opening a file
                  eskimo Apple Staff Apple Staff (13,945 points)

                  if you would like to extract strings from a binary file, then, how would you do it without using the strings utility?

                  That depends.  If you’re targeting arbitrary binary files, I’d probably just write the code myself.  The algorithm used by strings is very simplistic; see the bottom of this file for the current implementation.  There’s a bunch of other code in that file but most of it is to handle Mach-O images correctly, so you can ignore unless you’re specifically interested in Mach-O.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"