Running commands for symbolication within the App Sandbox for Mac App Store

I'm trying to build a developer tools app that can run in the app sandbox and execute commands related to working with DSYM files. The app sandbox is a requirement for publishing it to the App Store. I come from the world of iOS so everything is a sandbox to me and this is new territory.

To execute my commands I'm using the Process type to invoke command line.

func execute() throws -> CommandResult {
        let task = Process()
        let standardOutput = Pipe()
        let standardError = Pipe()

        task.standardOutput = standardOutput
        task.standardError = standardError
        task.arguments = ["-c", command]
        task.executableURL = URL(fileURLWithPath: "/bin/zsh")
        task.standardInput = nil

        let outHandle = standardOutput.fileHandleForReading
        let errorHandle = standardError.fileHandleForReading

        try task.run()

        let out1 = outHandle.readDataToEndOfFile()
        let out2 = errorHandle.readDataToEndOfFile()

        // more code interpreting the pipes

I'm trying to perform the following operations:

This all works just fine when I run my Mac app without sandboxing, but as one would expect totally fails when App Sandbox is enabled--the sandbox is doing its thing.

Responses like "xcrun cannot be used within an App Sandbox", or simply the output not finding anything because the scope of the process is limited to the sandbox, not where my app DSYM file is.

In my readings on the documentation, where it states that I can create a command line helper tool that gets installed alongside the app sandbox app. "Add a command-line tool to a sandboxed app's Xcode project to the resulting app can run it as a helper tool." https://developer.apple.com/documentation/security/app_sandbox

Is this the right path to take? Or is there a way to still achieve access to xcrun by asking the user to grant access to other parts of the system via dialogue prompts?

I have followed this guide but don't know where to go from here: https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app It leaves off at print("Hello World") and no instructions on how to have your app communicate with the helper from what I could find ... :).

I know, generally speaking, of XPC services and that I have the ability to make them on macOS, unlike iOS (wait maybe 17.4 allows it? https://developer.apple.com/documentation/xpc anyways). Would creating an XPC helper be allowed to execute commands against xcrun or have access to the ~/Library/Developer/Xcode path to find the debug symbols for the purposes of symbolicating a crash report?

I really want to be able to ship my app on the App Store and enable developers to use the tool super easy, but I'm not sure if the App Sandbox will prevent me from achieving what I'm trying to do or not.

Any tips, pointers, samples, guidance is much appreciated!

Up vote post of edorphy Down vote post of edorphy
395 views
Posted by
edorphy
Reply
Add a Comment

Replies

Would creating an XPC helper [help]?

No. App Review requires that all your executables be sandboxed, so your XPC service would hit the same limitations.

Responses like "xcrun cannot be used within an App Sandbox",

I’ve talked about this before on DevForums, but it’s all a bit fragmented. I decided to collect everything together in a single post: Running Developer Tools from a Sandboxed App.

Regarding the big picture, you wrote:

I'm trying to perform the following operations:

This is going to be a challenge. I’ll address each of the tools you mentioned, albeit out of order (-:

  • dwarfdump to verify UUIDs

This is the easiest of the lot. I expect it’ll work, subject to the limitations in Running Developer Tools from a Sandboxed App.

  • atos to symbolicate with the found DYSM file

This tool is a lot more complex than dwarfdump, so I’m a lot less happy to recommend it because of the ‘it might change in the future’ issue discussed in Running Developer Tools from a Sandboxed App.

  • mdfind to locate DSYMs

This is problematic. The Spotlight API, and hence mdfind, will only return hits within your sandbox. You’ll need to find a way to extend your sandbox to include the locations that the user is likely to have their .dSYM files installed.

Oh, and if you do managed to extend your sandbox appropriately, it’ll probably be easier to calling the Spotlight API yourself rather than running mdfind.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thanks Quinn @eskimo for putting that post together. I figured I would run into some limitations or that what I want to build would simply not work in a sandbox. It is easy (easier) for a developer to know where they placed their app binary DSYMs, but not intuitive where system framework DYSMs are located. This is a very related feedback that you can check out: FB12349101. The bigger flaw in my plan is symbolication of system frameworks only works if you had access to that device and os combo.

    edorphy
Add a Comment