Post not yet marked as solved
An iOS app running in simulator has complete access to the Mac's file system:
// Files in protected directory like Desktop, Documents, Calendar, etc will need additional permissions.
let filesInSystem = FileManager.default.enumerator(at: .currentDirectory(), includingPropertiesForKeys: nil)?.allObjects
This isn't the case when running in device as the app is sandboxed. Is the same possible when running in simulator? More specifically, is there a way to restrict access to the Mac's file system when running an app in the Simulator? This is particularly useful when trying out binaries/frameworks that are not open sourced.
Hello,
I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement.
Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application.
The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log:
macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger
To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2].
So I have few questions:
Do I need to launch the helper (child) process a particular way to be able to attach debugger to it?
Is there a tool to inspect sandboxes (rules applied and the inheritance)?
Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway?
Thank you.
[1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask.
[2] I know that's what XPCServices are for but don't ask :-)
Post not yet marked as solved
Hello!
I'm curious about how com.apple.developer.hid.virtual.device entitlement works with apps. So the documentation hints that it should only be used within a driver. However, on macOS 13 I can successfully compile an app and create a virtual HID device.
On earlier versions, such as macOS 12, the app crashes on launch and there's a message in the console:
ASI found [libsystem_secinit.dylib] (sensitive) 'failed to compile sandbox profile
/System/Library/Sandbox/Profiles/application.sb:1010:15: unbound variable:
iokit-user-client-class-name
'
Everything seems to be working with the sandbox turned off. Is there a way to use the aforementioned entitlement in a sandboxed app or should I fall back to DriverKit?
Post not yet marked as solved
I have a sandboxed/hardened app that is distributed outside of the MacAppStore. I want to allow the app to auto-update itself.
I currently have the ability in the app to figure out if there is a newer version which then informs the user and gives them an option to download the app (currently it downloads to ~/Downloads in the app container). The app comes as a simple zip file that only includes the app itself. Once downloaded, then NSWorkspace.shared.open(URLtoDownloadedUpdate) will expand the zip and place the app in ~/Downloads.
What I want is it to replace the current version of the app w/ this newly downloaded version. Is this possible?
First, how do I find out where the old app is stored? And then how do I replace it with the new version when the old app is still running?
I realize many people use Sparkle to do this instead of rolling their own. I simply do not want to depend on a third party.
Post not yet marked as solved
Hello, I’m trying to allow my MacOS app written in swift to run a kill command. it works when I test it manually in my terminal but when I run it in the app I get an not permitted error.
j was reading about work space authorization and put in a request but i got a response saying I didn’t need that type of authorization for what I’m doing. Any help pointing me in the right direction?
https://developer.apple.com/documentation/appkit/nsworkspaceauthorizationtype
Thanks!
Post not yet marked as solved
Hi,
I'm working on an Xcode Source Editor Extension. Currently, I have App Sandbox enabled and everything works as expected.
I have some features I'd like to add that would require me to disable the App Sandbox and release the extension and containing app outside of the App Store.
However, whenever I remove the App Sandbox capability from my project and re-run the extension, I can no longer see my extension appear in the Editor menu - it's just gone.
My question is - are Xcode Source Editor Extensions only limited to sandboxed environments or can they operate out of the sandbox? If so, how come I don't see it in Xcode 15?
Hi
I'm using library in my project which create, modify and read file in iConf. How to get access for the app to read from that file.
Tnx,
Filip
I am developing a tool for myself using Swift and SwiftUI where I can retrieve student projects using git and then running Maven tests for the projects. The app is not sandboxed, since it is just for my personal use.
I use Process to launch git clone or git pull, and then get the commit log and parse the commit data to the app database. All this works just fine, I can see the app database table populated with repository commit data.
But when I do the same to execute Maven tests, and call
try process.run()
process.waitUntilExit()
The process never returns, unlike running git the same way. The only difference is the command executed and the arguments given to Process.
In the process view, I can see that there is a java child process running in my app, but it never (like in tens of minutes I have waited) completes. Running the same mvn test command...:
/opt/apache-maven-3.6.3/bin/mvn -Dstyle.color=never -Dtest=ReverseArrayRangeTests test
...from command line finishes in a couple of seconds.
While running the Maven command below executes just fine from Process:
/opt/apache-maven-3.6.3/bin/mvn -DskipTests -Dstyle.color=never package
In this case, I can see the output from the process while it builds the .jar package from the project.
Is there something special in running mvn test command, running Java in the child process, that it just does not work? Takes too much resources or something? macOS limiting what the child process can do, even though the app is not sandboxed?
I have also tried to Archive the app and run it outside of Xcode debugging, but that doesn't change anything.
My previous solution was to run the tests separately in Terminal using a shell script, saving the test results to a log file the app then read and parsed. But I'd like to do everything within the same GUI app, if possible. Any ideas?
Post not yet marked as solved
Hi, is it possible for a user to remove the implicit permission he or she gave to an app after opening a folder using a standard dialog? I'm asking this because a discussion took place with actual users reasonably arguing that the action may have been a mistake, not intentional at all, so at least we should give them a way to revert what was wrongly interpreted as intent. I believe that they are right and there should be a simple user-level way of doing that. So I looked for a way to remove the bookmark from the command line but to no avail. Thanks, Carlos.
Hello,
I have read com.apple.security.app-sandbox entitlement is required for macOS applications distributed through appstore.
If so, how can it be possible for an application like Microsoft Word to read/write files in Documents folder ? It should be forbidden, due to sandbox ?
Thanks
Post not yet marked as solved
I found my pkg installer while writing to Data Container in App Sandbox since macOS 14 Sonoma.
What is wrong with my installer?
My pkg will install file to App Sandbox Container.
(Destination Path: "~/Library/Containers/net.mtgto.inputmethod.macSKK/Data/Documents/Dictionaries/SKK-JISYO.L")
But I found Installer always asks that
“Installer” would like to access data from other apps.
Keeping app data separate makes it easier to manage your privacy and security.
Click "Don't Allow" button and Installer.app says "The installation failed".
This dialog is not shown macOS 13 Ventura. So it seems to relate App Sandbox changes in macOS 14:
https://developer.apple.com/documentation/security/app_sandbox/accessing_files_from_the_macos_app_sandbox
Is there a way to write to App Sandbox Container from pkg?
For detail: https://github.com/mtgto/macSKK/issues/54
Also you can download installer from https://github.com/mtgto/macSKK/releases/tag/0.9.1
(pkg file is exists in macSKK-0.9.1.dmg)
Post not yet marked as solved
Hi,
I have a developer tool that often needs access to files outside of the file the user has selected. For example, they can easily select a file that contains a reference to an include file NOT in the current folder or a descendent. But I still need access to that file.
How do I handle this, on the latest version of MacOS? Right now it just fails to give me access to the file, making it look like our Mac version is WAY BEHIND the Windows version.
Oh and this needs to be in the App Store eventually, but right now I need it to be available outside of it, so I have to use my Developer ID and notarized. I think I've got all of that nailed down, but I'm still having file permission issues.
My entitlements currently (which doesn't work):
com.apple.security.cs.disable-library-validation
com.apple.security.cs.disable-executable-page-protection
com.apple.security.app-sandbox
com.apple.security.files.user-selected.read-write
Thank you,
-Chilton
Post not yet marked as solved
I have an app that needs to read a file the user selects from an Open dialog.
Right now it works fine on my machine (of course), but doesn't let my app access the file on other systems.
I code signed it using my Apple Developer ID. I have notarized it. I have checked it all with the notaryTool and it shows NO ERRORS and as far as I can tell, no warnings either.
Here's the entitlements:
com.apple.security.cs.disable-library-validation
com.apple.security.cs.disable-executable-page-protection
com.apple.security.app-sandbox
com.apple.security.files.user-selected.read-write
What could I be doing wrong?
Thank you,
-Chilton
I've recently updated my development laptop, and my continuous integration build nodes (a pair of Mac minis) to macOS Sonoma. Prior to this update, my CI workflows passed without issue.
Since updating, every time I attempt to run my app's unit tests, an impassible alert is shown stating:
“MyApp” differs from previously opened versions. Are you sure you want to open it?
Opening “MyApp” will allow it to access data from previously used versions of “MyApp”.
My tests go no further, and my CI workflows fail.
I found that if I switched from using Ad-Hoc code signing for my tests, that this dialog is no longer shown on my local development laptop, however it is still shown on my CI nodes.
Is there some way to tell Xcode to bypass this warning? If there's not, Sonoma doesn't seem to be usable for doing testing.
Post not yet marked as solved
I`m trying create simple http sever, when I do it in main target of my macOS app then it works, but when I do it in uitests target it fails (result == -1 (Operation not permitted)). Interestingly when I run it in iOS uiTests target then it works.
let sockfd = socket(AF_INET, SOCK_STREAM, 0)
var serverAddress = sockaddr_in(sin_len: __uint8_t(MemoryLayout<sockaddr_in>.size),
sin_family: sa_family_t(AF_INET),
sin_port: CFSwapInt16HostToBig(8080),
sin_addr: in_addr(s_addr: inet_addr("127.0.0.1")),
sin_zero: (0, 0, 0, 0, 0, 0, 0, 0))
let result = withUnsafePointer(to: &serverAddress) {
$0.withMemoryRebound(to: sockaddr.self, capacity: 1) {
Darwin.bind(sockfd, $0, socklen_t(MemoryLayout<sockaddr_in>.size))
}
}
I've got set in my main target entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
What can be reason that it fails? how can I fix it?
I am trying to test an application in a SANDBOX environment.
iPhone XR, iOS 17.0.3, Xcode 15.0.1
Everything works, but with every transaction or update I get
a lot of CoreServise warnings, Error messages, etc.
Post not yet marked as solved
My app iterates over all folders on disk and queries metadata of each folder.
After Sonoma was released, a bunch of users (but not all) complained that the app has become very slow or stalls indefinitely while performing the scan.
I have narrowed down that the delay occurs in POSIX open() function, and the folders it stalls on are folders inside ~/Library/Containers and ~/Library/Group Containers, which store data of sandboxed apps.
My app is not sandboxed itself, and the problem doesn't happen on all Macs, only on a subset of Macs.
I read it in WWDC transcripts that in macOS Sonoma, Apple has introduced additional privacy access control to these particular folders, and my guess is that the delays and stalling are related to this new macOS feature.
Is anyone else is experiencing this problem? Can I do something to work around this problem? Or is this a bug of macOS Sonoma and I should report it to Apple?
Post not yet marked as solved
Hello, I currently am designing a data backup solution, and have an unsandboxed launch agent written in DotNet 6 that needs read access to files in order to back them up. It is configured together with its own App Group (with the sandboxed GUI). However, this Launch Agent cannot access files or enumerate directories in ~/Library/Group Containers/com.apple.notes whatsoever (even after enabling full disk access for the calling app, the files are not restricted either). I am trying to access the NoteStore.sqlite and similar files so that the Launch Agent can read the file and upload it to S3. Is there some entitlement I need to add, or access prompt? It seems like there is additional security layers for Sandboxed folders for apps that I'm trying to bypass. What is the recommended solution for my use case?
(For Ventura and Sonoma users)
Post not yet marked as solved
Hi everyone, I've been trying for a few days and still getting the same errors..so any help would be appreciated!!
I've got the app to pass the Validation in XCode Organizer, but after I uploaded to Apple Store Connect through the Organizer, I'd get an email with errors, ITMS-90238: Invalid Signature, mentioning a long list of plugins, and then ITMS-90296: App sandbox not enabled.
I'm not sure how to investigate these problems, so I've been just blindly trying everything.
I've added the Sandbox capability in Xcode and have the entry in the entitlement file. The app even shows Sandbox Yes in Activity Monitor.
This is an Qt app. I generated an Xcode project using qmake, then use Xcode to sign and upload.
I tried both manually selecting the profile and letting Xcode manage signing automatically. I've tried both Distribution profiles and Development profiles.
It was giving build errors in signing unless I used the --deep flag in Other Code Signing Flags. Then I read online that it's not recommended. So I've tried using the -codesign option in the Qt's mac deployment tool, macdeployqt. It passed the validations but still gives the same error. I suspect it's doing a codesign --deep internally. This is how I'm using macdeployqt
macdeployqt myapp.app -qmldir="$SOURCE_DIR"/qml -always-overwrite -appstore-compliant -codesign="$SIGNING_CERT"
Any advice would be much appreciated!!
I'm on macOS Sonoma 14.0, Apple M2, Qt 6.5.3
Post not yet marked as solved
The old one is "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture"
