System Policy: deny forbidden-link-priv

App & System Services Core OS
bombich OP
Created Mar ’17
Replies 1
Boosts 0
Views 1k
Participants 2

I can't figure out where this policy is defined, and I'd like to know how it's defined because I'm trying to understand why it's imposed and what specifically the restrictions are. Here's a scenario:


[user:~] cd /tmp
[user:/tmp] mkdir -p test.app/Contents/Resources/Base.lproj
[user:/tmp] cd test.app/Contents/Resources
[user:/tmp/test.app/Contents/Resources] touch Base.lproj/test.nib
[user:/tmp/test.app/Contents/Resources] ln Base.lproj/test.nib ./test.nib
ln: ./test.nib: Operation not permitted


At that point, I see this sandbox violation in the system log:


SandboxViolation: ln(24784) System Policy: deny forbidden-link-priv
Violation:       System Policy: deny forbidden-link-priv
Process:         ln [24784]
Path:            /bin/ln


But, I can still produce that scenario if I simply move the item out of the lproj directory, then create the hard link inside of the lproj directory, e.g.:


[user:/tmp/test.app/Contents/Resources] mv Base.lproj/test.nib ./
[user:/tmp/test.app/Contents/Resources] ln ./test.nib Base.lproj/test.nib
[user:/tmp/test.app/Contents/Resources] ls -li . Base.lproj/
.:
39267820 drwxr-xr-x  3 user  wheel  102 Mar  1 12:55 Base.lproj
39267821 -rw-r--r--  2 user  wheel    0 Mar  1 12:55 test.nib
Base.lproj/:
39267821 -rw-r--r--  2 user  wheel  0 Mar  1 12:55 test.nib


Now the hard link exists, no complaints from the system. I also don't have any trouble creating these hardlinks if the parent folder hierarchy does not contain ".app", or if neither of the referents' parents is an lproj folder. So the rule seems to be specific to application bundles and lproj folders.


It looks like perhaps macOS doesn't want me to have a hard link between *.lproj resources and items outside of that lproj folder. Is that the case? Why not? (I have some guesses, but I'm hoping for an authoritative answer, or some documentation). Are there other scenarios blocked by this same "forbidden-link-priv" rule?


Incidentally, I don't have any interest in putting hard links such as these in my own applications, my concern arises when I try to copy (preserving hard links) application bundles that exist with these presumably illegal hard links.


Thanks for any insight,

Mike

Replies  1
Boosts  0
Views  1k
Participants  2
DTS Engineer OP
Apple
Mar ’17

This policy is being enforced by the sandbox KEXT (

/System/Library/Extensions/Sandbox.kext
) via it’s MAC hooks. It’s not specific to app bundles and lproj folders. Rather, there’s a general check to trap privilege escalation via hard links. I don’t fully understand this myself, and so I can’t say why the specific case you described is tripping over this check. My recommendation is that you open a DTS tech support incident so that someone (maybe even me :-) can dig into this in more detail.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
System Policy: deny forbidden-link-priv
First post date Last post date
 
 
Q