Sandboxed network permissions on macOS

Machine Learning & AI App Intents
gromgrom OP
Created 2w
Replies 1
Boosts 0
Views 137
Participants 2

Are there specific Entitlements (com.apple.security.temporary-exception.files.absolute-path.read-write or network exceptions) required to allow App Intents to talk to local UNIX sockets or loopback interfaces (127.0.0.1) without triggering sandbox violations?

Answered by DTS Engineer in 894443022

Sorry I didn’t reply sooner. I didn’t see your thread until now [1].

Every app extension is sandboxed. This is obviously true on iOS, where all third-party code is sandboxed, but it’s also true on macOS, where every app extension must opt in to the App Sandbox.

Having said that, not all sandboxes are created equally. Some appexen run in a restricted sandbox, one that’s designed to prevent data from escaping. For example, Network Extension filter data providers on iOS are not allow to ‘leak’ network traffic, as explained here.

Given that, the actual sandbox restrictions seen by your appex will vary based on the appex type. I’m not super familiar with App Intent app extensions, but AFAIK they run in a pretty standard sandbox. Moreover, you’re asking about the Mac, where AFAIK all appexen run in a standard sandbox, that is, the App Sandbox.

So, this is all just a caveat saying that the following assumes that your appex is running in a standard App Sandox (-:

If so, there is a good story for networking and IPC, neither of which require temporary exception entitlements. On the networking front, the standard networking entitlements apply, regardless of whether you’re talking to a loopback server or not. Honestly though, using networking for IPC is less than ideal.

On the IPC front, apps and appexen from the same developer can communicate using various IPC APIs by way of an app group. See the table in App Groups Entitlement. I generally recommend XPC for this. See XPC Resources for lots of links to docs and so on. Also make sure to read XPC and App-to-App Communication.

Using IPC to talk to a program from a different developer is trickier. If you need to do that, lemme know and we can talk through your options. Be aware, however, that this may required temporary exception entitlements and, if so, won’t be compatible with Mac App Store distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In future, if you have App Sandbox questions, add the App Sandbox tag.

Replies  1
Boosts  0
Views  137
Participants  2
DTS Engineer OP
Apple
1w
Accepted Answer
Recommended

Sorry I didn’t reply sooner. I didn’t see your thread until now [1].

Every app extension is sandboxed. This is obviously true on iOS, where all third-party code is sandboxed, but it’s also true on macOS, where every app extension must opt in to the App Sandbox.

Having said that, not all sandboxes are created equally. Some appexen run in a restricted sandbox, one that’s designed to prevent data from escaping. For example, Network Extension filter data providers on iOS are not allow to ‘leak’ network traffic, as explained here.

Given that, the actual sandbox restrictions seen by your appex will vary based on the appex type. I’m not super familiar with App Intent app extensions, but AFAIK they run in a pretty standard sandbox. Moreover, you’re asking about the Mac, where AFAIK all appexen run in a standard sandbox, that is, the App Sandbox.

So, this is all just a caveat saying that the following assumes that your appex is running in a standard App Sandox (-:

If so, there is a good story for networking and IPC, neither of which require temporary exception entitlements. On the networking front, the standard networking entitlements apply, regardless of whether you’re talking to a loopback server or not. Honestly though, using networking for IPC is less than ideal.

On the IPC front, apps and appexen from the same developer can communicate using various IPC APIs by way of an app group. See the table in App Groups Entitlement. I generally recommend XPC for this. See XPC Resources for lots of links to docs and so on. Also make sure to read XPC and App-to-App Communication.

Using IPC to talk to a program from a different developer is trickier. If you need to do that, lemme know and we can talk through your options. Be aware, however, that this may required temporary exception entitlements and, if so, won’t be compatible with Mac App Store distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In future, if you have App Sandbox questions, add the App Sandbox tag.

Sandboxed network permissions on macOS
First post date Last post date
 
 
Q