Viewing Sandbox Violation Reports

Question

DTS Engineer OP

Apple

Created Mar ’22

Replies 0

Boosts 0

Views 4.2k

Participants 1

IMPORTANT This post has been replaced by an official document, Discovering and diagnosing App Sandbox violations. Yay! I’m leaving it here for historical context only.

The best way to view sandbox violation reports has changed over the years, so I thought I’d post some up-to-date info. I tested the following with Xcode 13.3 on macOS 12.2.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Viewing Sandbox Violation Reports

After enabling the App Sandbox, you may find that your app fails in some non-obvious way. That is, something within your app doesn’t work, but your app doesn’t display a permissions error and so you have no idea where to start. If you find yourself in that situation, look for a sandbox violation report:

Run the Console app.
For each line below, copy the line and paste it in to the search box at the top right.
```
 type:error
subsystem:com.apple.sandbox.reporting
category:violation
```
This searches for sandbox violation reports.

Note The exact query terms have changed over time. The above is accurate from macOS 12.2.
Click the Save button in the bar below the search box and enter a name for your saved search. I typically use “Sandbox” for this. In future, click on this saved search to skip the previous step.
Click “Start streaming”.
Run your app and reproduce the problem.
Look for a sandbox violation report in the log. If you see one, follow the steps below to investigate.

Inside a Sandbox Violation report

A sandbox violation report log entry looks like this:

 type: error
time: 11:58:26.009175+0000
process: sandboxd
subsystem: com.apple.sandbox.reporting
category: violation
message: Sandbox: AppSandboxViolat(5807) deny(1) file-read-data /Users/quinn/.ssh/id_rsa

The message includes a complete sandbox violation report. That’s too big to include here, so I’ve added it as a text attachment.

Viewing Sandbox Violation Reports.txt

Violation:       deny(1) file-read-data /Users/quinn/.ssh/id_rsa
Process:         AppSandboxViolat [5807]
Path:            /Users/quinn/Library/Developer/Xcode/DerivedData/AppSandboxViolator-fdwuhakenreitddixptqklqzocjf/Build/Products/Debug/AppSandboxViolator.app/Contents/MacOS/AppSandboxViolator
Load Address:    0x10910b000
Identifier:      com.example.apple-samplecode.AppSandboxViolator
Version:         1 (1.0)
Code Type:       x86_64 (Native)
Parent Process:  debugserver [5808]
Responsible:     /Users/quinn/Library/Developer/Xcode/DerivedData/AppSandboxViolator-fdwuhakenreitddixptqklqzocjf/Build/Products/Debug/AppSandboxViolator.app/Contents/MacOS/AppSandboxViolator
User ID:         502

Date/Time:       2022-03-22 11:58:25.994 GMT
OS Version:      macOS 12.2.1 (21D62)
Release Type:    User
Report Version:  8

MetaData: {"profile-flags":0,"summary":"deny(1) file-read-data \/Users\/quinn\/.ssh\/id_rsa","flags":5,"platform_binary":"no","hardware":"Mac","policy-description":"Sandbox","removable-media":false,"rdev":0,"team-id":"SKMME9E2Y8","operation":"file-read-data","signing-id":"com.example.apple-samplecode.AppSandboxViolator","platform-policy":false,"mount-flags":76582912,"path":"\/Users\/quinn\/.ssh\/id_rsa","platform-binary":false,"file-mode":384,"matched-extension":false,"primary-filter":"path","responsible-process-path":"\/Users\/quinn\/Library\/Developer\/Xcode\/DerivedData\/AppSandboxViolator-fdwuhakenreitddixptqklqzocjf\/Build\/Products\/Debug\/AppSandboxViolator.app\/Contents\/MacOS\/AppSandboxViolator","apple-internal":false,"pid":5807,"vnode-type":"REGULAR-FILE","process":"AppSandboxViolat","target":"\/Users\/quinn\/.ssh\/id_rsa","action":"deny","build":"macOS 12.2.1 (21D62)","binary-in-trust-cache":false,"matched-user-intent-extension":false,"process-path":"\/Users\/quinn\/Library\/Developer\/Xcode\/DerivedData\/AppSandboxViolator-fdwuhakenreitddixptqklqzocjf\/Build\/Products\/Debug\/AppSandboxViolator.app\/Contents\/MacOS\/AppSandboxViolator","primary-filter-value":"\/Users\/quinn\/.ssh\/id_rsa","normalized_target":["Users","quinn",".ssh","id_rsa"],"profile-in-collection":false,"file-flags":0,"uid":502,"errno":1,"container":"\/Users\/quinn\/Library\/Containers\/com.example.apple-samplecode.AppSandboxViolator\/Data","hardlinked":false,"release-type":"User"}

Thread 0 (id: 291952):
0   libsystem_kernel.dylib        	0x00007ff81905336a __open + 10
1   Foundation                    	0x00007ff819f81407 _NSReadBytesFromFileWithExtendedAttributes + 167
2   Foundation                    	0x00007ff819f81276 -[NSData(NSData) initWithContentsOfFile:options:maxLength:error:] + 119
3   libswiftFoundation.dylib      	0x00007ff82a7a18dd NSData.__allocating_init(contentsOf:options:) + 77
4   libswiftFoundation.dylib      	0x00007ff82a7a184c Data.init(contentsOf:options:) + 76
5   AppSandboxViolator            	0x000000010910e703 ViewController.violateAction(_:) + 1507 (ViewController.swift:25)
6   AppSandboxViolator            	0x000000010910f631 @objc ViewController.violateAction(_:) + 65 (<compiler-generated>:0)
7   AppKit                        	0x00007ff81bd8897d -[NSApplication(NSResponder) sendAction:to:from:] + 288
8   AppKit                        	0x00007ff81bd88824 -[NSControl sendAction:to:] + 86
9   AppKit                        	0x00007ff81bd88756 __26-[NSCell _sendActionFrom:]_block_invoke + 131
10  AppKit                        	0x00007ff81bd8865f -[NSCell _sendActionFrom:] + 171
11  AppKit                        	0x00007ff81bd885a6 -[NSButtonCell _sendActionFrom:] + 96
12  AppKit                        	0x00007ff81bd85414 NSControlTrackMouse + 1817
13  AppKit                        	0x00007ff81bd84cd7 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121
14  AppKit                        	0x00007ff81bd84baa -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 679
15  AppKit                        	0x00007ff81bd83f78 -[NSControl mouseDown:] + 678
16  AppKit                        	0x00007ff81bd82457 -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4949
17  AppKit                        	0x00007ff81bcf6390 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 2582
18  AppKit                        	0x00007ff81bcf575a -[NSWindow(NSEventRouting) sendEvent:] + 352
19  AppKit                        	0x00007ff81bcf3b28 -[NSApplication(NSEvent) sendEvent:] + 352
20  AppKit                        	0x00007ff81bfad1a7 -[NSApplication _handleEvent:] + 65
21  AppKit                        	0x00007ff81bb7493e -[NSApplication run] + 623
22  AppKit                        	0x00007ff81bb487b7 NSApplicationMain + 816
23  AppSandboxViolator            	0x0000000109115034 static NSApplicationDelegate.main() + 36 (<compiler-generated>:0)
24  AppSandboxViolator            	0x0000000109115007 static AppDelegate.$main() + 39 (<compiler-generated>:0)
25  AppSandboxViolator            	0x0000000109115098 main + 24 (<compiler-generated>:0)
26  dyld                          	0x00000001102814fe start + 462

Thread 1 (id: 291994):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 2 (id: 291996):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 3 (id: 291998):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 4 (id: 292002):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 5 (id: 292003):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 6 (id: 292004):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 7 (id: 292005):
0   libsystem_kernel.dylib        	0x00007ff81905417a __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x000000010923dccb start_wqthread + 15

Thread 8 (id: 292010, com.apple.NSEventThread):
0   libsystem_kernel.dylib        	0x00007ff819052aba mach_msg_trap + 10
1   CoreFoundation                	0x00007ff819156af2 __CFRunLoopServiceMachPort + 319
2   CoreFoundation                	0x00007ff8191551cb __CFRunLoopRun + 1325
3   CoreFoundation                	0x00007ff8191545dd CFRunLoopRunSpecific + 563
4   AppKit                        	0x00007ff81bcf1fd8 _NSEventThread + 132
5   libsystem_pthread.dylib       	0x0000000109235cb0 _pthread_start + 125
6   libsystem_pthread.dylib       	0x000000010923dcdf thread_start + 15

Binary Images:
       0x10910b000 -        0x109116ff7  com.example.apple-samplecode.AppSandboxViolator (1.0 - 1) <98b56ea8-2176-30be-b500-e69f6cf67bd2> /Users/quinn/Library/Developer/Xcode/DerivedData/AppSandboxViolator-fdwuhakenreitddixptqklqzocjf/Build/Products/Debug/AppSandboxViolator.app/Contents/MacOS/AppSandboxViolator
       0x109234000 -        0x109241fff  libsystem_pthread.dylib (485.60.2) <9e08383a-a2b2-3acf-8164-d0e925ddfa97> /usr/lib/system/introspection/libsystem_pthread.dylib
       0x11027c000 -        0x1102e4c67  dyld (941.5) <7de33963-bbc5-3996-ba6e-f1d562c17c95> /usr/lib/dyld
    0x7ff819052000 -     0x7ff819088fff  libsystem_kernel.dylib (8019.80.24) <c1d58a50-5a4d-3bcb-a1fc-ec0902ce34d3> /usr/lib/system/libsystem_kernel.dylib
    0x7ff8190d6000 -     0x7ff8195d8ffd  com.apple.CoreFoundation (6.9 - 1856.107) <9b112884-be6c-3c7f-9a2a-a47c491105db> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    0x7ff819f5c000 -     0x7ff81a316ff7  com.apple.Foundation (6.9 - 1856.107) <bf00b016-c645-3574-b74f-4386750fb009> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    0x7ff81bb45000 -     0x7ff81c9d6ffc  com.apple.AppKit (6.9 - 2113.30.116) <9d3ab204-4858-3120-b002-5c38b02edec4> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
    0x7ff82a6b6000 -     0x7ff82a9f5ff9  libswiftFoundation.dylib (70.101) <3d85743a-2364-33dc-80d3-8779fda58bfd> /usr/lib/swift/libswiftFoundation.dylib

Look at the Violation field first:

Violation:       deny(1) file-read-data /Users/quinn/.ssh/id_rsa

This means that the App Sandbox blocked an attempt to read the data of the file at the path /Users/quinn/.ssh/id_rsa.

Next look at the thread backtraces. It’s normally pretty easy to identify the thread responsible for the violation: It’s the one blocked in a system call that could reasonably trigger this violation. For example:

 Thread 0 (id: 291952):
0   libsystem_kernel.dylib   … __open + 10
1   Foundation               … _NSReadBytesFromFileWithExtendedAttributes + 167
2   Foundation               … -[NSData(NSData) initWithContentsOfFile:options:maxLength:error:] + 119
3   libswiftFoundation.dylib … NSData.__allocating_init(contentsOf:options:) + 77
4   libswiftFoundation.dylib … Data.init(contentsOf:options:) + 76
5   AppSandboxViolator       … ViewController.violateAction(_:) + 1507 (ViewController.swift:25)
6   AppSandboxViolator       … @objc ViewController.violateAction(_:) + 65 (<compiler-generated>:0)
7   AppKit                   … -[NSApplication(NSResponder) sendAction:to:from:] + 288
…

Here you see that AppKit has called the ViewController.violateAction(_:) method (frame 6) which has tried to created a Data value from the contents of a file (frame 5) which has eventually called open (frame 0), which is what triggered the violation.

Using this information, investigate and fix your sandbox incompatibility.

No Sandbox Violation Report

It’s possible that you might not see a sandbox violation report even though the problem is caused by the App Sandbox. For example, imagine you have code like this:

 let url: URL = … some file URL …
let data: Data
if access(url.path, R_OK) == 0 {
    data = try Data(contentsOf: url)
} else {
    data = Data()
}

The access system call never triggers a sandbox violation report. If the App Sandbox blocks access to url, this code will not fail, not generate a sandbox violation report, and set data to empty.

IMPORTANT Preflighting file system calls is racy and, in the worse case, can result in TOCTTOU vulnerabilities. Avoid writing code like this.

Debugging problems like this can be tricky.

Boost

	type:error
	subsystem:com.apple.sandbox.reporting
	category:violation

	type: error
	time: 11:58:26.009175+0000
	process: sandboxd
	subsystem: com.apple.sandbox.reporting
	category: violation
	message: Sandbox: AppSandboxViolat(5807) deny(1) file-read-data /Users/quinn/.ssh/id_rsa

	Thread 0 (id: 291952):
	0 libsystem_kernel.dylib … __open + 10
	1 Foundation … _NSReadBytesFromFileWithExtendedAttributes + 167
	2 Foundation … -[NSData(NSData) initWithContentsOfFile:options:maxLength:error:] + 119
	3 libswiftFoundation.dylib … NSData.__allocating_init(contentsOf:options:) + 77
	4 libswiftFoundation.dylib … Data.init(contentsOf:options:) + 76
	5 AppSandboxViolator … ViewController.violateAction(_:) + 1507 (ViewController.swift:25)
	6 AppSandboxViolator … @objc ViewController.violateAction(_:) + 65 (<compiler-generated>:0)
	7 AppKit … -[NSApplication(NSResponder) sendAction:to:from:] + 288
	…

	let url: URL = … some file URL …
	let data: Data
	if access(url.path, R_OK) == 0 {
	data = try Data(contentsOf: url)
	} else {
	data = Data()
	}