Sandbox app + Parallel Process + LAN Socket (validation app store)

Hello everyone, I need help with an issue that is unclear to me. I developed an application with Unity and now I'm using xCode to distribute it both outside the App Store and on the App Store. As for the first option, no problem, I was able to build the app and upload it for validation. However, regarding the App Store, I have a problem with "App Sandbox," which seems to be mandatory in this case. My application is essentially a party game where one part functions as a desktop application and another part as a mobile application. The desktop application launches a parallel process (which I included in a group within xcode and signed with my developer ID) that makes the two parts communicate through a socket on the local network. When I enable App Sandbox, it seems that the process is not launched by the main application. I have also enabled the two options, Incoming Connection (server/client), under App Sandbox, but it still did not work. I thank you in advance for the support.Sandbox app + parallel process + LAN Socket

Answered by DTS Engineer in 803382022
It seems that the Sandbox does not provide the necessary permissions to access that executable file.

Given that this is an unbundled executable, it’s almost certain that you’re executing it as a child process, that is, via posix_spawn or some wrapper around that.

It is possible for sandbox apps to run child processes, but it’s a bit tricky. See Embedding a command-line tool in a sandboxed app.

which exposes a socket channel

What sort of socket? There are two common options here, and both of them present challenges:

  • If you use a TCP/IP socket (AF_INET or AF_INET6) you could bump into local network privacy issues (introduced in macOS 15, currently a release candidate). I think you’ll be OK with you stick with localhost (127.0.0.1 or ::1) but I’m still coming up to speed on this technology on the Mac.

  • If you use a Unix domain socket (AF_UNIX or AF_LOCAL), the App Sandbox requires that you put the listening socket in an app group container.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It is possible for a sandboxed Mac app to launch a helper process and then communicate it via various IPC APIs. However, getting the details right can be a bit tricky.

What API are you using to launch your helper process?

This matters because of sandbox inheritance:

  • If you launch it as a child process — using fork + exec*, posix_spawn, NSTask, Swift Process, and so on — it inherits the parent’s static sandbox.

  • If you launch it as an independent process — typically using NSWorkspace — it gets its own sandbox.

the two parts communicate through a socket on the local network.

This two processes are on the same Mac, right? So what do you mean by “local network”? Is this TCP/IP? Or a Unix domain socket (AF_UNIX, aka AF-LOCAL)? Or something else?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I created an xCode project through a build in Unity. For it to work, it needs to execute an external "Unix Executable" outside of the project, which acts as a "Server." Through this executable, which exposes a socket channel, the Unity application and a mobile application communicate with each other. So, I created a "group" in xCode called "Server," which creates a "Server" folder inside the "Contents" folder of the .app file. The xCode build correctly places the files, and everything works fine until I enable the Sandbox. Once enabled, the "Unix Executable" necessary for communication is no longer executed. It seems that the Sandbox does not provide the necessary permissions to access that executable file.

It seems that the Sandbox does not provide the necessary permissions to access that executable file.

Given that this is an unbundled executable, it’s almost certain that you’re executing it as a child process, that is, via posix_spawn or some wrapper around that.

It is possible for sandbox apps to run child processes, but it’s a bit tricky. See Embedding a command-line tool in a sandboxed app.

which exposes a socket channel

What sort of socket? There are two common options here, and both of them present challenges:

  • If you use a TCP/IP socket (AF_INET or AF_INET6) you could bump into local network privacy issues (introduced in macOS 15, currently a release candidate). I think you’ll be OK with you stick with localhost (127.0.0.1 or ::1) but I’m still coming up to speed on this technology on the Mac.

  • If you use a Unix domain socket (AF_UNIX or AF_LOCAL), the App Sandbox requires that you put the listening socket in an app group container.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It is an application that uses socket.io (TCP/IP) and exposes a socket channel using the network interface address you are connected to the router with, for example: 192.168.1.55:300.

Here is a screenshot of the current situation. As I mentioned, I created a "Group" named "Server," and under that group, I added the references to the executable (and a library used within it). The file that is not being executed is "partyGameSocketServer."

I found that I could use posix_spawn() to run a second process from main. Now even with the sandBox enabled the process runs correctly without being killed. I had one last obstacle left to overcome, publishing on the mac store requires that the child process is also signed with the sandbox and I tried using these two keys "com.apple.security.app-sandbox" and "com.apple. security.inherit". The problem is that when I test it, after signing it, by opening it with a double click I get the error "zsh: trace trap /Users/myUser/Desktop/applicationName". What am I doing wrong?

Sandbox app + Parallel Process + LAN Socket (validation app store)
 
 
Q