12

I've a simple unix tool made by me that launches the main cocoa app from a shell.

I need to sandbox it but when I run it, it crashes with error "Illegal instruction: 4", on console.app I can see the following error message

Sandbox creation failed: Container object initialization failed: NIL container info object with no error description for visdiff

The file is correctly signed with codesign.

I've read the post Mac OS app, sandbox with command line tool? but it doesn't help

Community
  • 1
  • 1
dafi
  • 3,492
  • 2
  • 28
  • 51
  • Perhaps more information is needed. How is your tool packaged with your app? How do you execute the tool "from a shell" (code, please). What didn't help about the other question you mentioned (where did you run into problems)? – Joshua Nozzi Nov 12 '12 at 20:21
  • Did you use the --entitlements argument while codesigning? – Marius Nov 12 '12 at 19:31
  • There is now a `developer.apple.com` article on this: https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app – nishanthshanmugham May 17 '22 at 21:59

5 Answers5

11

I was having this exact problem, and it went away when I added an embedded Info.plist.

Try these clang flags (assuming you have info.plist in the build directory):

-Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker info.plist

Nick Moore
  • 15,547
  • 6
  • 61
  • 83
  • 1
    Wow. You have saved the day. I would donate all my SO points to you right now if I could. THANK YOU!!! – Lizza Sep 27 '13 at 23:10
  • what info you added in embedded Info.plist? I believe this plist is for the unix file – Swati Mar 07 '17 at 09:53
  • @Swati Whatever information you like - usual Info.plist values as for a Mac OS application. Such as CFBundleVersion, and so on. – Nick Moore Mar 10 '17 at 10:33
4

Is the console application launched directly from console or is it called from a main sandboxed application? I received a similar error when trying to sandbox some binaries and I was just able to make it work by using only the below entitlements:

<dict>                                                                                                                                                                       
  <key>com.apple.security.app-sandbox</key>                                                                                                                                  
  <true/>                                                                                                                                                                    
  <key>com.apple.security.inherit</key>                                                                                                                                      
  <true/>                                                                                                                                                                    
</dict>

Of course, after that you can only call the binary from a parent process that is already sandboxed (that is why I asked how your binary was called :)).

ryotakatsuki
  • 281
  • 1
  • 2
  • 4
  • No, my command line tool is called from unix shell, it is totally indipendent from the main sandboxed app – dafi Oct 19 '12 at 18:40
3

While @Nick Moore's answer is perfectly fine, there's an option for this in today's Xcode under Packaging - Create Info.plist Section in Binary (CREATE_INFOPLIST_SECTION_IN_BINARY). All that's needed is setting thue to Yes.

Charlie Monroe
  • 1,210
  • 9
  • 24
0

It seems if you sign an executable with com.apple.security.inherit it can only be called by another application that is already sandboxed. So you can't call it from cmdline anymore after you ran codesign.

rednoah
  • 1,053
  • 14
  • 41
  • Yep - this problem hit me as soon as I'd signed my helper executables with that minimal com.apple.security.app-sandbox + com.apple.security.inherit plist. Is there a workaround? Or do I need to add 'real' entitlements for each helper executable as if it were a parent app e.g. com.apple.security.network.client? I'm worried about the file system entitlements because my helpers might need quite wide-ranging access, far outside the confines of the home folder. – chriskilding Sep 30 '16 at 17:52
0

There is now an official article on developer.apple.com, titled “Embedding a Command-Line Tool in a Sandboxed App.”

https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app

Here are the relevant steps to do (copied from the article), after you build your command line tool.

Create an entitlements file for the tool:

% /usr/libexec/PlistBuddy -c "Add :com.apple.security.app-sandbox bool true" "ToolC.entitlements"
File Doesn't Exist, Will Create: ToolC.entitlements
% /usr/libexec/PlistBuddy -c "Add :com.apple.security.inherit bool true" ToolC.entitlements
% cat ToolC.entitlements 
…
<dict>
   <key>com.apple.security.app-sandbox</key>
   <true/>
   <key>com.apple.security.inherit</key>
   <true/>
</dict>
</plist>

Sign the tool as shown below:

% codesign -s - -i com.example.apple-samplecode.AppWithTool.ToolC -o runtime --entitlements ToolC.entitlements -f ToolC

...

Add the ToolC executable to your Xcode project. When you do this:

  • Enable “Copy items if needed”.
  • Select “Create groups” rather than “Create folder reference”.
  • Uncheck all the boxes in the “Add to targets” list.

In the Build Phases tab of the app target editor, add ToolC to the Embed Helper Tools build phase, making sure that Code Sign On Copy is checked.

nishanthshanmugham
  • 2,967
  • 1
  • 25
  • 29