Is it possible to apply different sandbox rules for multiple binaries in a single MAS app?

Hello,

It seems that an App Store version App uses a default sandbox configuration. However, my app contains multiple binaries, and I would like to apply additional sandbox restrictions to a specific binary.

Is it possible to set different sandbox rules for different binaries within the same app?

Thank you for your help!

Accepted Answer

You’re talking about App Sandbox in a Mac App Store app, right?

If so, then yes, it’s fine to have different executables within your app use different sandbox configurations. For example, it’s a good design pattern to use the strictest sandbox for your main app and then add:

  • An XPC services with a looser sandbox, so it can access the network

  • An XPC service with a tighter sandbox, to process the data coming in off the network

However, the standard requirements apply:

  • All executables must be sandboxed.

  • App Review takes a dim view of folks using temporary exception entitlements.

Note that the Mac App Store re-signs your app as part of its distribution process, but that re-signing preserves your sandbox entitlements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is it possible to apply different sandbox rules for multiple binaries in a single MAS app?
 
 
Q