sandbox-exec file-write behaves unexpectedly

hi
I have a rules file like this


(version 1)
(deny default)
...
(allow file-write* (regex "/Users/thomas/Desktop"))


When I use it on app A, it works fine (the app can write to the desktop) but when use it on app B, it doesn't work (the app cannot save a file to the desktop). So I made a test app (app C), a simple cocoa app that just writes a dummy string to a file, and it still doesn't work. If I replace (allow file-write* (regex "/Users/thomas/Desktop")) with (allow file-write*) it works on app B and C too, so I know that's the only thing that's wrong.


So I really don't understand what's going on. How can it work for app A but not for B or C? Especially given that:

  • allowing all file-writes works (so I know the regex is the culprit, even though it works for app A (I tested that the app A can save to Desktop but not to other locations)
  • app C is minimal and is not a "blackbox"
  • I tried tons of different variations: literal instead of regex, "^/Users/thomas/Desktop", "^/Users/thomas/Desktop/" , "^/Users/thomas/Desktop/*", ...
  • apps A, B and C are not sandboxed apps if I run them normally (I can check this in the activity monitor)


Thanks in advance for your help!

  • delete this comment

Add a Comment

Accepted Answer

why doesn't it work?

I’ve no idea, sorry. I just wanted to make sure you weren’t planning to ship a product based on this.

Would there be other alternatives?

Personally, if I need to run software I don’t trust, I do so in a VM.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Answers

Just to be clear, the sandbox profile format is not documented for third party use. Feel free to experiment with this stuff, but please don’t try to ship a product based on it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

maybe undocumented but... why doesn't it work? Would there be other alternatives?
As a context: I have downloaded some software and I would feel better if I could run it with sandbox-exec or something.
Thanks!

why doesn't it work?

I’ve no idea, sorry. I just wanted to make sure you weren’t planning to ship a product based on this.

Would there be other alternatives?

Personally, if I need to run software I don’t trust, I do so in a VM.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

When developing profiles for sandbox-exec, monitoring sandbox log messages is very helpful to understanding exactly what is being denied. I watch the activity with this command ( that I found in /System/Library/Sandbox/Profiles/com.apple.RemoteManagementAgent.sb ) :

log stream --style compact --info --debug  --predicate '(((processID == 0) AND (senderImagePath CONTAINS "/Sandbox")) OR (subsystem == "com.apple.sandbox.reporting"))'

I've created profiles to add a layer of security when building open source apps, without the inconvenience and overhead of running in a VM. They are available at https://github.com/BrianSwift/macOSSandboxBuild