Our (sandboxed, distributed through the Mac App Store) app can optionally run as a CLI tool, to allow users to use it in scripts and other automation contexts. One of the usecases involves being a wrapper for the ssh
command, but the ssh
binary is not able to enable raw mode for stdin due to a sandbox violation (bug report).
As a reduced example, I've created https://github.com/mihaip/sandboxed-cli-test, which has a minimal C program that uses tcsetattr
to set attributes on stdin. That fails, and sandboxd
logs to the console Sandbox: SandboxedCLI(30110) deny(1) file-ioctl /dev/ttys012
. If I disable sandboxing on the binary then it works as expected.
Looking through the sandbox profiles on /System/Library/Sandbox/Profiles
, I'm not seeing cases where file-ioctl
is enabled on /dev/tty
. Are we out of luck, or is there a workaround?