Is it possible to apply different sandbox rules for multiple binaries in a single MAS app?

Hello,

It seems that an App Store version App uses a default sandbox configuration. However, my app contains multiple binaries, and I would like to apply additional sandbox restrictions to a specific binary.

Is it possible to set different sandbox rules for different binaries within the same app?

Thank you for your help!

Answered by DTS Engineer in 812846022

You’re talking about App Sandbox in a Mac App Store app, right?

If so, then yes, it’s fine to have different executables within your app use different sandbox configurations. For example, it’s a good design pattern to use the strictest sandbox for your main app and then add:

  • An XPC services with a looser sandbox, so it can access the network

  • An XPC service with a tighter sandbox, to process the data coming in off the network

However, the standard requirements apply:

  • All executables must be sandboxed.

  • App Review takes a dim view of folks using temporary exception entitlements.

Note that the Mac App Store re-signs your app as part of its distribution process, but that re-signing preserves your sandbox entitlements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

You’re talking about App Sandbox in a Mac App Store app, right?

If so, then yes, it’s fine to have different executables within your app use different sandbox configurations. For example, it’s a good design pattern to use the strictest sandbox for your main app and then add:

  • An XPC services with a looser sandbox, so it can access the network

  • An XPC service with a tighter sandbox, to process the data coming in off the network

However, the standard requirements apply:

  • All executables must be sandboxed.

  • App Review takes a dim view of folks using temporary exception entitlements.

Note that the Mac App Store re-signs your app as part of its distribution process, but that re-signing preserves your sandbox entitlements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is it possible to apply different sandbox rules for multiple binaries in a single MAS app?
 
 
Q