Reputation: 3532
How to sandbox a command line tool?
I've a simple unix tool made by me that launches the main cocoa app from a shell.
I need to sandbox it but when I run it, it crashes with error "Illegal instruction: 4", on console.app I can see the following error message
Sandbox creation failed: Container object initialization failed: NIL container info object with no error description for visdiff
The file is correctly signed with codesign.
I've read the post Mac OS app, sandbox with command line tool? but it doesn't help
Upvotes: 12
Views: 5466
Answers (5)
Reputation: 3570
There is now an official article on developer.apple.com, titled “Embedding a Command-Line Tool in a Sandboxed App.”
https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
Here are the relevant steps to do (copied from the article), after you build your command line tool.
Create an entitlements file for the tool:
% /usr/libexec/PlistBuddy -c "Add :com.apple.security.app-sandbox bool true" "ToolC.entitlements" File Doesn't Exist, Will Create: ToolC.entitlements % /usr/libexec/PlistBuddy -c "Add :com.apple.security.inherit bool true" ToolC.entitlements % cat ToolC.entitlements … <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> </plist>Sign the tool as shown below:
% codesign -s - -i com.example.apple-samplecode.AppWithTool.ToolC -o runtime --entitlements ToolC.entitlements -f ToolC...
Add the ToolC executable to your Xcode project. When you do this:
- Enable “Copy items if needed”.
- Select “Create groups” rather than “Create folder reference”.
- Uncheck all the boxes in the “Add to targets” list.
In the Build Phases tab of the app target editor, add ToolC to the Embed Helper Tools build phase, making sure that Code Sign On Copy is checked.
Upvotes: 0
Reputation: 1260
While @Nick Moore's answer is perfectly fine, there's an option for this in today's Xcode under Packaging - Create Info.plist Section in Binary (CREATE_INFOPLIST_SECTION_IN_BINARY). All that's needed is setting thue to Yes.
Upvotes: 3
Reputation: 1082
It seems if you sign an executable with com.apple.security.inherit it can only be called by another application that is already sandboxed. So you can't call it from cmdline anymore after you ran codesign.
Upvotes: 0
Reputation: 15857
I was having this exact problem, and it went away when I added an embedded Info.plist.
Try these clang flags (assuming you have info.plist in the build directory):
-Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker info.plist
Upvotes: 12
Reputation: 301
Is the console application launched directly from console or is it called from a main sandboxed application? I received a similar error when trying to sandbox some binaries and I was just able to make it work by using only the below entitlements:
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
Of course, after that you can only call the binary from a parent process that is already sandboxed (that is why I asked how your binary was called :)).
Upvotes: 4
Related Questions
- Command line tool with user interface
- Mac OS app, sandbox with command line tool?
- How can I bundle a command line utility in os x application on Mac App Store (using sandbox entitlement)
- App Sandbox related
- Perform commands in Mac application sandbox?
- How to launch another process in sandbox on Mac?
- Sandbox mac osx application
- Sandboxing an executable in C
- OS X sandboxing questions
- Command Line Tools in Cocoa