Hi,
I'm writing a sandboxed Daemon that I register from my sandboxed application via SMAppService
.
The registration is successful, and the daemon is called based on logs. However when I'm trying to save a keychain item into the keychain, I see entries like this in the logs:
(Security) SecItemAdd
[com.apple.securityd:atomicfile] create /Library/Keychains/System.keychain.sb-1c133873-RPL9wo: Operation not permitted
[com.apple.securityd:security_exception] UNIX error exception: 1
[com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted]
[com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted]
I'm attempting to create the item with the regular SecItemAdd function call:
var query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrLabel as String: "[redacted string]",
kSecAttrAccount as String: "[redacted string]",
kSecAttrService as String: "[redacted string]",
kSecValueData as String: secretData
]
SecItemAdd(query as CFDictionary, nil)
I'm guessing this is because the System keychain is outside of the sandbox for the daemon.
Is there a way to create items for the System Keychain from a sandboxed daemon?
I’ve seen this issue before. See this thread.
IMPORTANT The fix described in that thread (FB11916222
) only applies to NE sysexes. If you’re building a generic launchd
daemon, you’ll need to use the temporary exception entitlement.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"