sem_t in sandbox app

App & System Services Core OS
JMDelh OP
Created Jun ’24
Replies 4
Boosts 0
Views 336
Participants 2

Hello,

For educational purpose, I try to use a POSIX semaphore sem_t instead of a dispatch_semaphore_t in a sandbox macOS Obj-C app.

When using sandbox, the semaphore code creation :

sem_t * _unixSemaphore;
char nameSemaphore[64] = {0};

snprintf(nameSemaphore, 22, "/UnixSemaphore_sample");  
 _unixSemaphore = sem_open(nameSemaphore, O_CREAT, 0644, 0);

fails, receiving SEM_FAILED and the errno is 78 (not implemented)

However, the sem_t _unixSemaphore is created and works fine when I disable sandbox I my entitlements.

Is there a way to fix this?

Thank you in advance

Jean Marie

Answered by DTS Engineer in 789794022

This worked for me:

  1. Using Xcode 15.4 on macOS 14.4.1, I created a new test project from the macOS > App template.

  2. In Signing & Capabilities, I added the App Groups capability with an SKMME9E2Y8.Test756420 entry, where SKMME9E2Y8 is my Team ID.

  3. I added a button wired up to this code:

    - (IBAction)testAction:(id)sender {
    fprintf(stderr, "will open\n");
    sem_t * sem = sem_open("SKMME9E2Y8.Test756420/MySem", O_CREAT, DEFFILEMODE, 0);
    if (sem == SEM_FAILED) {
        int err = errno;
        fprintf(stderr, "did not open, err: %d\n", err);
        return;
    }
    fprintf(stderr, "did open\n");
    (void) sem_close(sem);
}

  4. I ran the app and clicked the button.

It printed:

will open
did open

I then you’re missed my use of slash (/) in the GGG/NNN in my earlier post.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  4
Boosts  0
Views  336
Participants  2
DTS Engineer OP
Apple
Jun ’24

In general, the App Sandbox prevents app A from messing with app B. To do this it restricts access to IPC, including the Posix semaphores API you’re using here. In a sandboxed app the semaphore name must be prefixed by an app group. Specifically, the format is GGG/NNN, where GGG is an app group ID and NNN is a name of your choosing.

Your app must be claim the app group in its entitlements. Keep in mind that macOS app groups use a different format and are not explicitly authorised by a provisioning profile. See App Groups: macOS vs iOS: Fight! for the backstory.

Finally, keep your app group ID short because the maximum name length is PSEMNAMLEN, or 31.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
JMDelh OP
Jun ’24

Thank you for the answer. I followed your instructions but unfortunately I still received SEM_FAILED

Here is my entitlement file, I replace my identifier_ID by TEST12345 as I do not plan to go for the App Store

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>TEST12345.com.OBJCSemaphore</string>
	</array>
</dict>
</plist>

The group is created in ~~/Library/Group Containers

The semaphore is created using the same group name: TEST12345.com.OBJCSemaphore

I cannot see what I'm missing

0
DTS Engineer OP
Apple
Jun ’24
Accepted Answer
Recommended

This worked for me:

  1. Using Xcode 15.4 on macOS 14.4.1, I created a new test project from the macOS > App template.

  2. In Signing & Capabilities, I added the App Groups capability with an SKMME9E2Y8.Test756420 entry, where SKMME9E2Y8 is my Team ID.

  3. I added a button wired up to this code:

    - (IBAction)testAction:(id)sender {
    fprintf(stderr, "will open\n");
    sem_t * sem = sem_open("SKMME9E2Y8.Test756420/MySem", O_CREAT, DEFFILEMODE, 0);
    if (sem == SEM_FAILED) {
        int err = errno;
        fprintf(stderr, "did not open, err: %d\n", err);
        return;
    }
    fprintf(stderr, "did open\n");
    (void) sem_close(sem);
}

  4. I ran the app and clicked the button.

It printed:

will open
did open

I then you’re missed my use of slash (/) in the GGG/NNN in my earlier post.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
JMDelh OP
Jun ’24

Indeed it is working fine when using the slash . I was also using the same string for the group and the semaphore and I understand now the /NNN concerns the semaphore name only.

Thank you so much Jean Marie

0
sem_t in sandbox app
First post date Last post date
 
 
Q