Operation not permitted error when sandboxed daemon tries to write System Keychain

Hi,

I'm writing a sandboxed Daemon that I register from my sandboxed application via SMAppService.

The registration is successful, and the daemon is called based on logs. However when I'm trying to save a keychain item into the keychain, I see entries like this in the logs:

(Security) SecItemAdd
[com.apple.securityd:atomicfile] create /Library/Keychains/System.keychain.sb-1c133873-RPL9wo: Operation not permitted
[com.apple.securityd:security_exception] UNIX error exception: 1
[com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted]
[com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted]

I'm attempting to create the item with the regular SecItemAdd function call:

var query: [String: Any] = [
            kSecClass as String: kSecClassGenericPassword,
            kSecAttrLabel as String: "[redacted string]",
            kSecAttrAccount as String: "[redacted string]",
            kSecAttrService as String: "[redacted string]",
            kSecValueData as String: secretData
]

SecItemAdd(query as CFDictionary, nil)

I'm guessing this is because the System keychain is outside of the sandbox for the daemon.

Is there a way to create items for the System Keychain from a sandboxed daemon?

Answered by DTS Engineer in 801619022
I'm guessing this is because the System keychain is outside of the sandbox for the daemon.

I’ve seen this issue before. See this thread.

IMPORTANT The fix described in that thread (FB11916222) only applies to NE sysexes. If you’re building a generic launchd daemon, you’ll need to use the temporary exception entitlement.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm guessing this is because the System keychain is outside of the sandbox for the daemon.

I’ve seen this issue before. See this thread.

IMPORTANT The fix described in that thread (FB11916222) only applies to NE sysexes. If you’re building a generic launchd daemon, you’ll need to use the temporary exception entitlement.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Operation not permitted error when sandboxed daemon tries to write System Keychain
 
 
Q