I'm preparing a sandboxed app for macOS Catalina and adopting the hardened runtime, so I can participate in app notarization. Everything is generally working except for a child process my app sometimes needs to launch using NSTask. This child process is also sandboxed, inheriting the sandbox from its parent (the main app).
The problem is that the child process requires special entitlements to function. Specifically I'm referring to new hardened runtime entitlements like com.apple.security.cs.disable-library-validation. However, if I add such entitlements to the child process it fails to launch. This is somewhat expected, as the child process inherits the parent app's sandbox (via the entitlement com.apple.security.inherit). As described by Apple's documentation on inheriting a sandbox: "If you specify any other App Sandbox entitlement, the system aborts the child process". That means I am unable to directly add hardened runtime entitlements like com.apple.security.cs.disable-library-validation to the child's entitlements. As the docs say, adding the new entitlements prevent the child process from running at all.
I thought maybe the child process could inherit the required hardened runtime entitlements from its parent. I tried adding com.apple.security.cs.disable-library-validation to the main app's entitlements, hoping the child process would inherit the capability. However, this appears to be untrue. My child process failed as if the required entitlement was not present.
My questions are:
1. Is this expected? In other words, should a child process with an inherited sandbox also inherit its parent's hardened runtime entitlements?
2. Is there any way to workaround this, so the child process can be sandboxed and use additional hardened runtime entitlement?
Right now I am stuck at an impasse. I can either sandbox the child process or specify the hardened runtime entitlement, but not both. This prevents app notarization, which obviously will be a big problem once Catalina arrives.
Thanks for any help!