Unsandboxed XPCService launches sandboxed child processes

I have an application, it has main process and some child processes. As we want those child processes to have their own minimum sandbox privilege, not inheriting from parent process, we plan to use XPCService which uses a NSTask to launch those child processes, so those child processes can have its own sandbox privilege.

We plan to deliver the application to Mac App Store, so process mode is: the sandboxed main process builds connections to the unsandboxed XPCService, the unsandboxed XPCService launch those sandboxed child processes.

Can this process mode pass the Mac App Store rules? I see, there is a rule that all processes must be sandboxed, including XPCService. But I tested locally, the Application downloaded from Mac apple store also launches unsandboxed XPCService, like OneDrive.

Do you have any suggestions for my application scenario, sandboxed child processes having its own privilege not inheriting from parent?

Up vote post of jingliu1 Down vote post of jingliu1
219 views
Posted by
jingliu1
Reply
Add a Comment

Replies

Can this process mode pass the Mac App Store rules?

I don’t work for App Review, and thus generally don’t comment on their policy, but App Review Guidelines are pretty clear on this point:

2.4.5 Apps distributed via the Mac App Store … must be appropriately sandboxed

In your case, it should be fine to use an XPC service that has a different sandbox than your main app. And on the NSTask front, child processes inherit their sandbox from their parent, so that’s fine too. The only tricky thing is that the child’s executable must be signed with the com.apple.security.app-sandbox and com.apple.security.inherit entitlements, as discussed in Embedding a command-line tool in a sandboxed app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your response.

There are two options to config per-program sandbox policies.

  1. SBPL (Sandbox Profile Language), a low-level configuration language.
  2. Entitlements

As you mentioned

The only tricky thing is that the child’s executable must be signed with the com.apple.security.app-sandbox and com.apple.security.inherit entitlements

If the child executable is not signed with entitlements(app-sandbox), but using sandbox_init with SBPL policy after child process is launched to enable its sandbox capacity. Can it pass Mac App Store rule? Child process is also sandboxed.

I saw some developers experience about the sandbox entitlements Cannot submit mac app because com.apple.security.app-sandbox is removed from entitlements

What's more, adding one prerequisite to my question before,

Do you have any suggestions for my application scenario, sandboxed child processes having its own privilege not inheriting from sandboxed parent process? This application plans to deliver to MAS.

Posted by
jingliu1
Up vote reply of jingliu1 Down vote reply of jingliu1
Add a Comment