Adding a sandboxed v2ray precompiled binary to my application

Greetings! I want to add my pre-compiled binary of v2ray to my application so I can activate it in background as a proxy and run stuff through it.

I've codesigned it via: codesign -s - -i production.myproject.v2ray -o runtime --entitlements v2ray.entitlements -f v2ray

Contents of entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
</dict>
</plist>

Originally I ran it like this without sandboxing from my main target app:

        guard let v2rayPath = Bundle.main.path(forResource: "v2ray", ofType: nil) else {
            throw NSError(domain: "ProxyController", code: 1, userInfo: [NSLocalizedDescriptionKey: "V2Ray binary not found in bundle"])
        }

        let task = Process()
        task.executableURL = URL(fileURLWithPath: v2rayPath)
        task.arguments = ["-config", configURL.path]

        // Redirect output for debugging
        let pipe = Pipe()
        task.standardOutput = pipe
        task.standardError = pipe```


And it ran flawlessly. Now it refuses to start. Any help, pointers or examples of such usage will be greatly appreciated
Answered by DTS Engineer in 817742022

I talk about this in Resolving App Sandbox Inheritance Problems, part of my Resolving Trusted Execution Problems series. In short, you want this tool to inherit its sandbox from your app, and thus you need to sign it with just com.apple.security.app-sandbox and com.apple.security.inherit.

If you’re using Xcode to build your main app, see the Embed an externally built tool section of Embedding a command-line tool in a sandboxed app for advice on how to set that up.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Additionally, when checking console I get this: ASI found [libsystem_secinit.dylib] (sensitive) 'Unable to get bundle identifier for container id production.myapp.v2ray: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey.'

Accepted Answer

I talk about this in Resolving App Sandbox Inheritance Problems, part of my Resolving Trusted Execution Problems series. In short, you want this tool to inherit its sandbox from your app, and thus you need to sign it with just com.apple.security.app-sandbox and com.apple.security.inherit.

If you’re using Xcode to build your main app, see the Embed an externally built tool section of Embedding a command-line tool in a sandboxed app for advice on how to set that up.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Adding a sandboxed v2ray precompiled binary to my application
 
 
Q