According to https://developer.apple.com/documentation/security/app_sandbox/discovering_and_diagnosing_app_sandbox_violations it is possible to view detailed violation reports for non-system services. Is it possible to do something similar for system services?
I have encountered an issue where several (all?) of my Macbooks get into a sandbox violation situation (I assume). Below is in excerpt from logs focusing just on the sandbox violation. The errors are surrounded by XPC failures and errors.
error 23:23:21.382263+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:24.385962+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:27.389910+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:36.408940+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:45.419593+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:54.432109+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
The above is just an except, and it seems that Family
, imagent
and searchpartyuseragent
are trying to access com.apple.contactsd.persistance
once per second or so and failing (there are also some attempts to reach com.apple.timed.xpc
, but an insignificant amount in comparison to com.apple.contactsd.persistance
). This in turn causes Diagnostics Reporter to start, and then end hastily almost every ten seconds.
fault 23:23:05.903908+0100 Diagnostics Reporter Invalid launch.
fault 23:23:16.038017+0100 Diagnostics Reporter Invalid launch.
fault 23:23:26.136348+0100 Diagnostics Reporter Invalid launch.
fault 23:23:36.274543+0100 Diagnostics Reporter Invalid launch.
fault 23:23:46.414546+0100 Diagnostics Reporter Invalid launch.
I have no idea how I did this, but I seemed to have messed up sandbox access rights to contacts for some system services?