Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Mac app sandboxing and forkpty()

Tags:

People also ask

Does Mac Have a sandbox mode?

Overview. The App Sandbox is an access control technology that macOS provides and enforces at the kernel level. The sandbox's primary function is to contain damage to the system and the user's data if the user executes a compromised app.

What is Apple app sandbox?

App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user's data if an app becomes compromised. Apps distributed through the Mac App Store must adopt App Sandbox.

Are Apple apps sandboxed?

All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device. Sandboxing is designed to prevent apps from gathering or modifying information stored by other apps.

I'm looking to sandbox an app to comply with the March 1st sandboxing requirement of the Mac App Store. My app includes a built-in terminal emulator which utilizes a forkpty() call to launch processes in a pseudo-tty environment. Unfortunately, this call fails under the sandbox with the error "Operation not permitted", although the fork() call works just fine. Presumably the forkpty() call requires read/write access to the /dev/ directory to create a pseudo-tty (according to the man page). I've tried adding a temporary sandboxing entitlement (com.apple.security.temporary-exception.files.absolute-path.read-write) with read/write access to /, and I now can indeed read and write files anywhere on the file system, but the forkpty() call still fails with the same error. Does anyone know how I might get forkpty() to work under the sandbox?

My app is a programming text editor with a built-in terminal emulator and file browser, so it essentially needs to have access to the entire file system. Apart from the forkpty() problem, this temporary entitlement seems to do what I need. But will Apple accept an app with such a loosely defined temporary exception entitlement?

Thanks in advance guys. I really hope I can get this sandboxing up and running so I continue to distribute my app through the App Store.

Related questions

facebook javascript sdk UI dialog resetting scroll position
How to distinguish a file from a folder while uploading using drag and drop in jquery?
How do I create a bounded memoization decorator in Python?
UISplitViewController delegate in a singleton
Javascript Click event not firing when clicking on an element's padding
Is there a list of values I can use for objectClass and objectCategory?
How to resume file download through FTP using Curl in C?
FileDialog crash when bottom 4GB full
Rate limiting to prevent malicious behavior in ExpressJS
How to make sqlite robust over a Windows shared drive
How to choose a DI container? [duplicate]
C++ right way of returning a generic collection of type

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!