Sandbox app + Parallel Process + LAN Socket (validation app store)

It is possible for a sandboxed Mac app to launch a helper process and then communicate it via various IPC APIs. However, getting the details right can be a bit tricky.

What API are you using to launch your helper process?

This matters because of sandbox inheritance:

• If you launch it as a child process — using fork + exec*, posix_spawn, NSTask, Swift Process, and so on — it inherits the parent’s static sandbox.

• If you launch it as an independent process — typically using NSWorkspace — it gets its own sandbox.

the two parts communicate through a socket on the local network.

This two processes are on the same Mac, right? So what do you mean by “local network”? Is this TCP/IP? Or a Unix domain socket (AF_UNIX, aka AF-LOCAL)? Or something else?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I created an xCode project through a build in Unity. For it to work, it needs to execute an external "Unix Executable" outside of the project, which acts as a "Server." Through this executable, which exposes a socket channel, the Unity application and a mobile application communicate with each other. So, I created a "group" in xCode called "Server," which creates a "Server" folder inside the "Contents" folder of the .app file. The xCode build correctly places the files, and everything works fine until I enable the Sandbox. Once enabled, the "Unix Executable" necessary for communication is no longer executed. It seems that the Sandbox does not provide the necessary permissions to access that executable file.

It seems that the Sandbox does not provide the necessary permissions to access that executable file.

Given that this is an unbundled executable, it’s almost certain that you’re executing it as a child process, that is, via posix_spawn or some wrapper around that.

It is possible for sandbox apps to run child processes, but it’s a bit tricky. See Embedding a command-line tool in a sandboxed app.

which exposes a socket channel

What sort of socket? There are two common options here, and both of them present challenges:

• If you use a TCP/IP socket (AF_INET or AF_INET6) you could bump into local network privacy issues (introduced in macOS 15, currently a release candidate). I think you’ll be OK with you stick with localhost (127.0.0.1 or ::1) but I’m still coming up to speed on this technology on the Mac.

• If you use a Unix domain socket (AF_UNIX or AF_LOCAL), the App Sandbox requires that you put the listening socket in an app group container.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It is an application that uses socket.io (TCP/IP) and exposes a socket channel using the network interface address you are connected to the router with, for example: 192.168.1.55:300.

Here is a screenshot of the current situation. As I mentioned, I created a "Group" named "Server," and under that group, I added the references to the executable (and a library used within it). The file that is not being executed is "partyGameSocketServer."

I found that I could use posix_spawn() to run a second process from main. Now even with the sandBox enabled the process runs correctly without being killed. I had one last obstacle left to overcome, publishing on the mac store requires that the child process is also signed with the sandbox and I tried using these two keys "com.apple.security.app-sandbox" and "com.apple. security.inherit". The problem is that when I test it, after signing it, by opening it with a double click I get the error "zsh: trace trap /Users/myUser/Desktop/applicationName". What am I doing wrong?