App Sandbox

RSS for tag

App Sandbox is a macOS access control technology designed to contain damage to the system and user data if an app becomes compromised.

Posts under App Sandbox tag

117 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

App Sandbox Resources
General: DevForums tag: App Sandbox App Sandbox documentation App Sandbox Design Guide documentation — This is no longer available from Apple. There’s still some info in there that isn’t covered by the current docs but, with the latest updates, it’s pretty minimal (r. 110052019). Still, if you’re curious, you can consult an old copy [1]. App Sandbox Temporary Exception Entitlements archived documentation — To better understand the role of temporary exception entitlements, see this post. Embedding a Command-Line Tool in a Sandboxed App documentation Discovering and diagnosing App Sandbox violations (replaces the Viewing Sandbox Violation Reports DevForums post) Resolving App Sandbox Inheritance Problems DevForums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] For example, this one archived by the Wayback Machine.
0
0
2.3k
Sep ’23
Sign in with Sandbox account in Xcode Simulator
Hello! I'm working on implementing SwiftUI + StoreKit2 IAP in my app, and Xcode testing has been fantastic, now I'd like to test my app with Sandbox, where I created a Sandbox account, and it works on my physical device, I can log in, make transactions, etc. (btw, feedback: please improve the UX for Sandbox testing, it's really clumsy compared to Xcode testing with Transaction Manager) My problem is that when I'd like to log in with my Sandbox account on the simulator (Settings -> Developer -> Sandbox Apple Account (at the bottom) -> Sign in), it doesn't work, it fails silently. I know it authenticates well, because if I type in the wrong password, I get an error popup, but with the right password, it just fails silently, hides the login sheet and the "Sign in" text remains "Sign in" (on my phone when I log in, the "Sign in" is replaced with the email address of the Sandbox account). I know many people get errors, and they recommend to go icloud.com and acccept TOS (done that), also to download the latest iOS for the simulator (also done), these are not a problem for me, as I don't get any errors. My authentication works, but for some reason the simulator still won't log in, it fails silently, and I see no errors/reason why. Tried with different simulators (latest iOS version), same result, tried to reboot the simulator, same result. Any idea why is this happening? Thank you, sendai
0
0
52
7h
Unable to validate with app sandbox issues
My app is a Safari extension. When trying to validate the app, I get the following error: App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "app.rango.Rango.pkg/Payload/Rango for Safari.app/Contents/MacOS/Rango for Safari" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I don't know why this is happening. I have app sandbox enabled in both the app and the extension target. I have both entitlement files. When executing codesign -d --entitlements :- /path/to/binary I get the following: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.files.user-selected.read-only</key><true/><key>com.apple.security.get-task-allow</key><true/><key>com.apple.security.network.client</key><true/></dict></plist> If I check on Activity Monitor, on the sandbox column it shows true. I have no idea why I keep getting this error when all indicates that the app is actually sandboxed.
4
0
215
2d
full disk access granted, but app fails to load file from user folder
i recently upgraded to sequoia, and now, more often than not, when running in the debugger, opening my database causes a hang: When i run outside the debugger, it opens just fine. I suspect it has to do with "full disk access"? but i've given my app full disk access. i've also set Qt and Xcode to have "Allow apps to use developer tools" permissions. as a test i also added my app into that permission group, all to no avail. the path to the DB being opened is in my user's Music folder, and having full disk access gives permission for everything, including things in that folder. confused!
1
0
169
1w
WKWebView/Sandbox Intermittent Local File Access Denial in macOS Sandbox Environment
Dear Apple Developer Experts, We're experiencing an intermittent issue with WKWebView in our macOS application where local HTML file access is occasionally denied by the sandbox, despite proper implementation and permissions. We seek your guidance in understanding and resolving this issue. Issue Description: The WKWebView occasionally fails to load local HTML files stored in the app's Contents/Resources directory Error occurs in WebKit Networking Process with sandbox denial Issue is intermittent and can be resolved by app restart or WebKit Networking Process restart Affects all local HTML files in the same directory once the issue occurs Technical Details: Error from Kernel Log: 2025-02-07 14:57:17.179821 +0800 kernel Sandbox: com.apple.WebKit.Networking(58661) deny(1) file-read-data /Applications/DingTalk.app/Contents/Resources/webcontent/contact-2024.html WKWebView Delegate Error (captured in WKNavigationDelegate method): (void)webView:(WKWebView *)webView didFailProvisionalNavigation:(WKNavigation *)navigation withError:(NSError *)error Error Details: Domain: NSPOSIXErrorDomain Code: 1 Description: "Operation not permitted" UserInfo: { networkTaskMetricsPrivacyStance: Unknown, _NSURLErrorFailingURLSessionTaskErrorKey: LocalDataTask &lt;3694CA1E-481B-4E06-975D-E3A56AD56C0F&gt;.&lt;1&gt;, _kCFStreamErrorDomainKey: 1, _kCFStreamErrorCodeKey: 1 } Key Observations: Error is captured in WKNavigationDelegate's didFailProvisionalNavigation method The issue affects all local HTML files in the same directory once it occurs Temporary workarounds we've discovered: Restarting the application completely resolves the issue Without restarting the application, terminating the "WebKit Networking Process" via Activity Monitor causes the process to automatically restart, and this resolves the issue and load works again Additional Information: We've collected complete system diagnostics (system_logs.logarchive) at the time of failure The issue appears similar to discussions in Apple Developer Forums (https://developer.apple.com/forums/thread/110072), though we're uncertain if it's the same root cause We've prepared a minimal demo project demonstrating: Our release version app can be downloaded from: https://dtapp-pub.dingtalk.com/dingtalk-desktop/mac_dmg/Release/M1-Beta/DingTalk_v7.6.45_43521682_universal.dmg?spm=0.0.0.0.UuwovG&amp;file=DingTalk_v7.6.45_43521682_universal.dmg for examining our app's codesign, sandbox, and entitlements configurations if needed Important Investigation Finding: We attempted to simulate the issue by using chmod 000 /path/to/test.html, but this produces a different error: CopyError Domain=NSURLErrorDomain Code=-1102 Description="You do not have permission to access the requested resource." UserInfo={ NSLocalizedDescription=You do not have permission to access the requested resource., NSErrorFailingURLStringKey=file:///Users/sunus/Library/Developer/Xcode/DerivedData/WKWebViewLocalDemo-eumardnlfbmwgnhkaadglsrrhzhs/Build/Products/Debug/WKWebViewLocalDemo.app/Contents/Resources/test.html, NSUnderlyingError=0x600003aedc50 {Error Domain=kCFErrorDomainCFNetwork Code=-1102 "(null)"} } This error is distinctly different from our original issue's "Operation not permitted" error, suggesting that the sandbox denial we're experiencing is not a simple file permission issue. Questions: Is this a known issue with the WebKit sandbox in recent macOS versions? Are there recommended best practices or workarounds to prevent this sandbox denial? Could this be related to the WebKit Networking Process's sandbox configuration? Are there additional diagnostics or logs we should collect to help investigate this issue? We appreciate your assistance in investigating this issue. Please let us know if you need any additional information or clarification. STEPS TO REPRODUCE Open App Then loads the local file in /WKWebViewLocalDemo.app/Contents/Resources/test.html PS, We also submit a DTS &amp; Feedback DTS:Case-ID: 11876957 Feedback-ID: FB16493282 sysdiagnose is in the Feedback-ID: FB16493282 is uploaded
2
1
243
1w
macOS 虚拟机不能识别手机
Windows 10 使用 VirtualBox 创建的 Monterey 12.6.7 macOS 虚拟机不能识别到 iPhone 7 手机。 iPhone 7 已经连接到电脑主机 (win 10) 的 USB 3.0 口子,手机已经信任电脑。 在 win 10,我看到了 “此电脑\Apple iPhone”,就是说,宿主机识别到了 手机。 现在,开启macOS 虚拟机,虚拟机右下角的 usb 图标,显示并且勾选到了 "Apple Inc. iPhone [0901]",但虚拟机还是没看到手机设备,导致 Xcode 也看不到手机设备。 虚拟机运行后,插拔 iPhone 7 手机,通过 sudo log show --predicate 'eventMessage contains "usbmuxd"' --info 看到了报错信息: 2025-02-13 10:31:06.541201+0800 0xa3c Error 0x0 0 0 kernel: (Sandbox) 1 duplicate report for System Policy: usbmuxd(22583) deny(1) file-write-mode /private/var/db/lockdown 2025-02-13 10:31:07.090321+0800 0xf807 Error 0x0 140 0 sandboxd: [com.apple.sandbox.reporting:violation] System Policy: usbmuxd(22583) deny(1) file-write-mode /private/var/db/lockdown Violation: deny(1) file-write-mode /private/var/db/lockdown Process: usbmuxd [22583] Path: /usr/local/sbin/usbmuxd Load Address: 0x10564b000 Identifier: usbmuxd Version: ??? (???) Code Type: x86_64 (Native) Parent Process: sudo [22582] Responsible: /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal User ID: 0 Date/Time: 2025-02-13 10:31:06.793 GMT+8 OS Version: macOS 12.6.7 (21G651) Release Type: User Report Version: 8 MetaData: {"vnode-type":"DIRECTORY","hardlinked":false,"pid":22583,"process":"usbmuxd","primary-filter-value":"/private/var/db/lockdown","platform-policy":true,"binary-in-trust-cache":false,"path":"/private/var/db/lockdown","primary-filter":"path","action":"deny","matched-extension":false,"process-path":"/usr/local/sbin/usbmuxd","file-flags":0,"responsible-process-path":"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal","flags":21,"platform-binary":false,"rdev":0,"summary":"deny(1) file-write-mode /private/var/db/lockdown","target":"/private/var/db/lockdown","mount-flags":76582912,"profile":"platform","matched-user-intent-extension":false,"apple-internal":false,"storage-class":"Lockdown","platform_binary":"no","operation":"file-write-mode","profile-flags":0,"normalized_target":["private","var","db","lockdown"],"file-mode":448,"errno":1,"build":"macOS 12.6.7 (21G651)","policy-description":"System Policy","responsible-process-signing-id":"com.apple.Terminal","hardware":"Mac","uid":0,"release-type":"User"} Thread 0 (id: 63477): 0 libsystem_kernel.dylib 0x00007ff80d8368ae __chmod + 10 1 usbmuxd 0x000000010565584e main + 3582 (main.c:816) 2 dyld 0x0000000114e3f52e start + 462 Binary Images: 0x10564b000 - 0x10565afff usbmuxd (0) <0fc9b657-d311-38b5-bf02-e294b175a615> /usr/local/sbin/usbmuxd 0x114e3a000 - 0x114ea3567 dyld (960) <2517e9fe-884a-3855-8532-92bffba3f81c> /usr/lib/dyld 0x7ff80d832000 - 0x7ff80d869fff libsystem_kernel.dylib (8020.240.18.701.6) /usr/lib/system/libsystem_kernel.dylib 2025-02-13 10:35:39.751714+0800 0x27f Default 0x0 0 0 kernel: (Sandbox) Sandbox: usbmuxd(119) allow iokit-get-properties kCDCDoNotMatchThisDevice 2025-02-13 10:35:45.025063+0800 0x27f Default 0x0 0 0 kernel: (Sandbox) Sandbox: usbmuxd(119) allow iokit-get-properties kCDCDoNotMatchThisDevice
0
0
151
1w
Nullifying Sandbox Contraints for an .xcodeproj following Xcode's 'command-line' template?
Environment: Xcode v. 16.2; Swift version 6+ Scenario: I have an .xcodeproj within an .xcsworkingspace that must follow the 'command-line' paradigm outside the sandbox. My UnitTest (using the newer 'Swift Test' vs 'XCTest') is hitting runtime fatal errors due to sandbox violations. Here's a typical error line from the compiler: 1 duplicate report for Sandbox: chmod(41377) deny(1) file-read-data /Users/Ric/Library/.. I've set the .entitlement to ignore sandbox: &amp;lt;key&amp;gt;com.apple.security.app-sandbox&amp;lt;/key&amp;gt; &amp;lt;false/&amp;gt; I also created a shell script in the project build phase to access my TestData which was copied via a Build Phase: #!/bin/bash BUILD_DIR="${BUILT_PRODUCTS_DIR}" TEST_DATA="${SRCROOT}/SwiftModelTest/TestData" mkdir -p "${BUILD_DIR}/TestData" cp -R "${TEST_DATA}/" "${BUILD_DIR}/TestData/" What do I need to allow real-time Testing of my code without worrying about the Sandbox?
1
0
210
2w
CGEvent Not Working
I am trying to simulate a paste command and it seems to not want to paste. It worked at one point with the same code and now is causing issues. My code looks like this: ` func simulatePaste() { guard let source = CGEventSource(stateID: .hidSystemState) else { print("Failed to create event source") return } let keyDown = CGEvent(keyboardEventSource: source, virtualKey: CGKeyCode(9), keyDown: true) let keyUp = CGEvent(keyboardEventSource: source, virtualKey: CGKeyCode(9), keyDown: false) keyDown?.flags = .maskCommand keyUp?.flags = .maskCommand keyDown?.post(tap: .cgAnnotatedSessionEventTap) keyUp?.post(tap: .cgAnnotatedSessionEventTap) print("Simulated Cmd + V") } I know that there is some issues around permissions and so in my Info.plist I have this: &lt;string&gt;NSApplication&lt;/string&gt; &lt;key&gt;NSAppleEventsUsageDescription&lt;/key&gt; &lt;string&gt;This app requires permission to send keyboard input for pasting from the clipboard.&lt;/string&gt; I have also disabled sandbox. It does ask me if I want to give the app permissions but after approving it, it still doesn't paste.
1
0
163
2w
Sandbox Permissions for Clipboard Monitoring and Modification in a macOS App
Hello, I’m developing a sandboxed macOS app using Qt, which will be distributed via the Mac App Store. The app: Monitors the clipboard to store copied items. Overrides the paste function of the operating system via keyboard shortcuts. Modifies clipboard content, replacing what the user pastes with stored data. So, I have some questions: Can a sandboxed app continuously read and modify clipboard content? What entitlements are required? What permissions should I request from the user to ensure that my app works? Any guidance would be greatly appreciated! Thanks in advance! Beril Bayram
5
1
311
Jan ’25
Sdk access to filemanager documents directory
Not sure if my question is weird or not, but I didnt find any documentation about an sdks access to an apps documents directory. Im assuming that because sdk is part of the sandbox that it can access and read from the documents directory? i.e. if i used NSFileManager.defaultManager.URLForDirectory( directory = NSCachesDirectory, inDomain = NSUserDomainMask, appropriateForURL = null, create = false, error = null, ) to write a file called "file.txt", then any sdk my app used has the ability to access the contents of said directory? If yes, why isnt this considered something more worth mentioning? usually in filemanager tutorials they never warn about this. FYI: Im asking more for iOS and iPadOs then MacOs.
8
0
301
Jan ’25
The file “Desktop” couldn’t be opened.
hey everyone.!! In one of my macOS projects I am trying to fetch the files and folders available on "Desktop" and "Document" folder and trying to showing it on collection view inside the my project, but when I try to fetch the files and folder of desktop and document, I am not able to fetch it. But if i try it by setting the entitlements False, I am able to fetch it. If any have face the similar issue, or have an alternative it please suggest. NOTE:- I have tried implementing it using NSOpenPanel and it works, but it lowers the user experience.
0
0
291
Jan ’25
Apple Events won't trigger Privacy & Security alerts due to Sandboxing
I created an app in Xcode using ApplescriptObjC that is supposed to communicate with Finder and Adobe Illustrator. It has been working for the last 8 years, until now I have updated it for Sonoma and it no longer triggers the alerts for the user to approve the communication. It sends the Apple Events, but instead of the alert dialog I get this error in Console: "Sandboxed application with pid 15728 attempted to lookup App: "Finder"/"finder"/"com.apple.finder" 654/0x0:0x1d01d MACSstill-hintable sess=100017 but was denied due to sandboxing." The Illustrator error is prdictably similar. I added this to the app.entitlements file: <key>com.apple.security.automation.apple-events</key> <array> <string>com.apple.finder</string> <string>com.adobe.illustrator</string> </array> I added this to Info.plist: <key>NSAppleEventsUsageDescription</key> <string>This app requires access to Finder and Adobe Illustrator for automation.</string> I built the app, signed with the correct Developer ID Application Certificate. I've also packaged it into a signed DMG and installed it, with the same result as running it from Xcode. I tried stripping it down to just the lines of code that communicate with Finder and Illustrator, and built it with a different bundle identifier with the same result. What am I missing?
3
0
359
Jan ’25
Testflight Auto renewable subscirption doesnt expire.
Hi, Apple changed the renewal rate for auto renewable subscriptions in testflight to 24hrs and after 6 renewals it is supposed to expire. My subscription is now active for more than 13 days, it didnt expire as its supposed to. I heard that there is no chance to cancel it manually. Is there anyone else who had this problem and found a solution? I use RevenueCat to manage subscriptions. Maybe its because they have not adapted to apples update yet. Are there any other RevenueCat users that can confirm this experience? Or non RC users who don't have the issue I'm facing? Any responds are welcome.
1
1
373
Dec ’24
Cannot Cancel Sandbox Subscription
I did an in app purchase in my development app and now I cannot get rid of it. It is a "monthly" subscription that seems to renew every 1 day. I can see the subscription when I go to settings then tap on Subscriptions. Then I tap the item and choose "Cancel Subscription", revealing a new modal sheet saying "Confirm Cancellation". When I "Confirm", I get the popup: "Your request is temporarily unable to be processed, please try again later". However, this is anything BUT temporary, has gone on for a couple weeks now. As such, I am unable to test subscriptions in my development app. I've tried logging out, restarting, different devices, etc. The phone is logged in under my primary user account, and I may not have been logged into sandbox email when I did the purchase. Can someone forcibly remove it for me?
0
1
321
Dec ’24
Embedding automation command line tool into an AppStore app
I am developing a macOS word-processing app that should be distributed via the Apple App Store. Some of the app's functions like generating HTML and PDF exports should be automatable via Shortcuts and via shell scripts. To support the latter, I plan to include a command line tool inside the app that can be called from the Terminal or a shell script. The tool should be able to instruct the main app to then perform the desired commands. A well-known AppStore app that uses this design is BBEdit which also contains multiple command line tools that offer functionality from the main app to users of the Terminal. My technical questions now are: Should the command line tool executable be sandboxed and if yes, how? Even after many trials, I have not found a way to make a working sandboxed command line tool. If a sandboxed tool is started from the Terminal, it is immediately terminated with an exception in _libsecinit_appsandbox.cold.12. I am aware of the Apple developer documentation article Embedding A Helper Tool In A Sandboxed App, but it addresses a different architecture in which the helper tool is started from the main app and therefore is able to inherit its sandbox. BBEdit is only sandboxing the main app, but not its embedded command line tools and is still allowed in the App Store. Is this the way to go for me as well or does BBEdit get some special treatment in the App Store? How can the command line tool pass the permission to access files to the main app? As my main app is sandboxed, it needs explicit permission from the user to be able to access files. Users of a command line tool give this permission by providing file paths as arguments. How can I pass these permissions along to the main app? BBEdit is able to do this even when the user has not given it full-disk access. I know that it is using Apple Events for the communication between the command line tool and the main app, but I am not sure how this allows to pass permissions. Can anyone shed light on how to implement a solution here? Thanks!
0
0
247
Dec ’24
Adding a sandboxed v2ray precompiled binary to my application
Greetings! I want to add my pre-compiled binary of v2ray to my application so I can activate it in background as a proxy and run stuff through it. I've codesigned it via: codesign -s - -i production.myproject.v2ray -o runtime --entitlements v2ray.entitlements -f v2ray Contents of entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> Originally I ran it like this without sandboxing from my main target app: guard let v2rayPath = Bundle.main.path(forResource: "v2ray", ofType: nil) else { throw NSError(domain: "ProxyController", code: 1, userInfo: [NSLocalizedDescriptionKey: "V2Ray binary not found in bundle"]) } let task = Process() task.executableURL = URL(fileURLWithPath: v2rayPath) task.arguments = ["-config", configURL.path] // Redirect output for debugging let pipe = Pipe() task.standardOutput = pipe task.standardError = pipe``` And it ran flawlessly. Now it refuses to start. Any help, pointers or examples of such usage will be greatly appreciated
2
0
421
Dec ’24
The curious case of the "IOKit Driver" Xcode target.
Firstly, I realise that Kexts are deprecated. And for my needs, user-space IOKit from an application might be more than I’ll ever need, but I can’t help ensuring I’ve got all my ducks in a row while I’m designing an app. I noticed in the above Kext deprecation notice that it’s more about specific APIs that are deprecated rather than the kext mechanism itself (no mention of IOKit kernel APIs there). Along with the fact that a reboot would be required and various other policy changes. While reading up on System Extensions and the various newer tools, DriverKit, Endpoint Security etc, I’ve noticed there’s no mention of this “IOKit Driver” target/deliverable in the Xcode template chooser. It looks like, from the requirements, that DriverKit is aimed at hardware manufacturers, with a need to request the DriverKit entitlement for development. With respect to Apple’s internal Kext deprecation roadmap, how safe is it to build a product that relies on using an IOKit Driver and are there any requirements similar to DriverKit? Would a developer need to request an entitlement? If I developed an app using user-space IOKit and, for illustration purposes let’s say I also included an IOKit Driver in the app bundle. If I used the IOKit API, including header file constants only (no digging around in the IORegistryExplorer for non-public keys), as Apple intends them to be used, would this fall foul of any App Store rules that anyone is aware of? Put another way, would making use of an IOKit Driver disqualify my app from being distributed via the App Store, similar to an Endpoint Security extension? As an aside, there are a lot of API in the ES Framework that could be used to build apps that have nothing to do with Endpoint Security. File system related apps for example. It’s a shame there isn’t an enhanced middle ground between FSEvents and Endpoint Security framework.
3
0
532
Dec ’24
USB issue
there is a functional issue that I hope to receive your help Background: When my app is running, it will monitor the USB devices currently connected to the Mac and obtain the hid related configurations for each USB device, such as: {vendorId: 10168, productId: 493, path: 'IOService:/ AppleACPIPl...HIDDevice@14210000 0 serialNumber: '20002E8C', manufacturer: 'ThingM', product: 'blink(1) mk2', release: 2, interface: -1, usagePage: 65280, usage: 1} Originally running normally, but in sandbox mode, I found that there were some missing information in obtaining device information, specifically the path of each USB device obtained (e.g. 'IOService:/ AppleACPIPl...HIDDevice@14210000 0 ') are all lost (with empty content), but they can be obtained in non sandbox environments. Do i need any additional permissions for this? PS: I have been keeping it on: com. apple. security. device. usb
1
0
306
Dec ’24
Re: Resolving App Sandbox Inheritance Problems
I have a werid case that shouldn't happen according to https://forums.developer.apple.com/forums/thread/706390 I have an audio unit which runs in FCP and I want it to launch a sandboxed app as a child process. If I sign the child app with just "com.apple.security.app-sandbox" entitlement it crashes with SYSCALL_SET_PROFILE error. According to the article referenced above: "This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile." This makes sense because audio units run in a sandboxed environment (in AUHostingService process). So I added "com.apple.security.inherit" to the entitlements plist and now I get "Process is not in an inherited sandbox." error. According to the article referenced above: "Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit." And this doesn't make sense at all. The first error indicates the child process is trying to create a sandboxed environment within a parent sandboxed environment while the second error indicates there's no a parent sandboxed environment... I specifically checked the child process has "com.apple.security.app-sandbox" and "com.apple.security.inherit" entitlements only. If I remove all entitlements from the child process it launches and runs fine from the audio unit plugin. And if I remove "com.apple.security.inherit" but leave "com.apple.security.app-sandbox" I can successfully launch the app in standalone mode (in Finder). For the testing puroses I use a simple Hello World desktop application generated by XCode (Obj-C). Does anybody have an idea what can be the reason for such a weird behavior?
3
0
551
Dec ’24