Nullifying Sandbox Contraints for an .xcodeproj following Xcode's 'command-line' template?

Environment: Xcode v. 16.2; Swift version 6+

Scenario: I have an .xcodeproj within an .xcsworkingspace that must follow the 'command-line' paradigm outside the sandbox.

My UnitTest (using the newer 'Swift Test' vs 'XCTest') is hitting runtime fatal errors due to sandbox violations.

Here's a typical error line from the compiler:

1 duplicate report for Sandbox: chmod(41377) deny(1) file-read-data /Users/Ric/Library/..

  1. I've set the .entitlement to ignore sandbox:
<key>com.apple.security.app-sandbox</key>
   <false/>
  1. I also created a shell script in the project build phase to access my TestData which was copied via a Build Phase:
#!/bin/bash
BUILD_DIR="${BUILT_PRODUCTS_DIR}"
TEST_DATA="${SRCROOT}/SwiftModelTest/TestData"

mkdir -p "${BUILD_DIR}/TestData"
cp -R "${TEST_DATA}/" "${BUILD_DIR}/TestData/"

What do I need to allow real-time Testing of my code without worrying about the Sandbox?

Answered by DTS Engineer in 824473022

You are mixing up the App Sandbox with the sandbox. Because that difference is obvious, right? |-: I explain some of the background to that in On File System Permissions.

com.apple.security.app-sandbox is an App Sandbox entitlement. It’s not relevant to MAC (which shared a lot of infrastructure with App Sandbox) or custom sandboxes (like those used by Xcode to sandbox shell script build phases).

Are you seeing this sandbox restriction when your build your test? Or when you run your test?

The former suggests an issues with your shell script build phase. Modern versions of Xcode sandbox those based on the User Script Sandboxing build setting. Xcode customises this sandbox to allow the script to access its inputs and its outputs. If the script accesses files other than those, that access is blocked by the sandbox.

As a short-term fix you can disable that build setting. The long-term fix is to constrain your script to only access its inputs and outputs. That’s important for both security and the reliability of the build system (if script accesses files that Xcode doesn’t know about, it can’t be sure to build correctly).

OTOH, if you’re hitting this problem during the execution of your tests… well… that’s a different issue. I’m happy to help you dig into that but I need to know what that code looks like.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

You are mixing up the App Sandbox with the sandbox. Because that difference is obvious, right? |-: I explain some of the background to that in On File System Permissions.

com.apple.security.app-sandbox is an App Sandbox entitlement. It’s not relevant to MAC (which shared a lot of infrastructure with App Sandbox) or custom sandboxes (like those used by Xcode to sandbox shell script build phases).

Are you seeing this sandbox restriction when your build your test? Or when you run your test?

The former suggests an issues with your shell script build phase. Modern versions of Xcode sandbox those based on the User Script Sandboxing build setting. Xcode customises this sandbox to allow the script to access its inputs and its outputs. If the script accesses files other than those, that access is blocked by the sandbox.

As a short-term fix you can disable that build setting. The long-term fix is to constrain your script to only access its inputs and outputs. That’s important for both security and the reliability of the build system (if script accesses files that Xcode doesn’t know about, it can’t be sure to build correctly).

OTOH, if you’re hitting this problem during the execution of your tests… well… that’s a different issue. I’m happy to help you dig into that but I need to know what that code looks like.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Nullifying Sandbox Contraints for an .xcodeproj following Xcode's 'command-line' template?
 
 
Q