https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&aprop...:
“The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide”
That still is the case for MacOS 26.3 (https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&aprop...)
MacOS 10.13.6 is from 2017, so this has been deprecated for almost 10 years.
I wonder how many major applications and tools depend on sandbox-exec today despite that depreciation, IIRC I can think of the Codex CLI and Swift Package Manager.
Claude, Firefox, safari, chrome, etc etc etc etc
Basically everyone who has to care about security on the Mac.
Bazel as well.
and Homebrew!
Does anyone have any details regarding the deprecation? I wonder why Apple made this decision.
"sandbox-exec" is deprecated in the sense of "please don't use this method to run sandboxes" rather than the mechanism going away.
If you are using "sandbox-exec" then you are likely maintaining your own seatbelt profile. Keeping those up to date can be challenging, especially for 3rd parties as any changes to underlying Frameworks and libraries can break a hand crafted profile.
If you are using it to secure your own stuff and accept this and not complain, even for minor SW updates, then you are going to be fine. Don't ship things to 3rd parties without also accepting this. That is what this deprecated means.
There’s not that much detail. A few comments in 2019 from a DTS person indicated that Apple didn’t really anticipate people shipping on this in volume. My guess is they want to dissuade people from using it.
They can’t immediately just do away with it because a bunch of their first party apps use it (entitlements don’t cut it). It’s a weird space.
> a DTS person
Quinn the Eskimo, no doubt. I'm convinced he or she is the only actual human being providing developer technical support at Apple. Certainly the only one I've ever successfully communicated with. Support tickets go to robots who are incapable of providing relevant answers. Maybe Quinn is an alias with a team of humans behind it, but I don't think so. I've had him or her take forum posts to private e-mail and it does seem like a single person.
Unfortunately, even Quinn is fully at the mercy of Apple's internal bureaucracy, which is quite formidable.
Yeah, it was Quinn. I didn’t want to name them and seem too knowing haha.
It's not much of a giveaway. Quinn is the most likely respondent to questions on https://developer.apple.com/forums/ for years now, including this one about sandbox-exec in 2019:
https://developer.apple.com/forums/thread/124284
:-)
Not the only one, but the most prolific that’s for sure.
I don’t know if there are problems with this tool, but the App Sandbox is very configurable and every app store app is in one. It doesn’t make sense to maintain two different complex sandboxing solutions.
App Sandbox is fundamentally a way for programs to use the underlying sandbox subsystem without having to write SBPL code themselves. When a program has opted into the App Sandbox, the system applies one of these sandbox policies automatically during app initialization. The policy examines the entitlements of the application to determine which additional resources should be permitted. See /System/Library/Sandbox/Profiles/application.sb if you're curious.
By far the biggest advantage of App Sandbox is that the policy ships along with the OS. If a system framework changes what resources it accesses in a software update, Apple can update the policy so the framework functionality still works. If your app uses a custom sandbox policy, you're on your own to both notice that something has changed and to update your policy.
The downside is that the App Sandbox policy is limiting and inflexible.
That’s not true. Lots of apple’s own first party apps use SBPL to sandbox because the entitlement granularity doesn’t cut it. There’s also lots of apps on the MAS which use temporary-exception SBPL to fully sandbox.
I agree that there is no sense in operating dual systems, but entitlements can’t replace SBPL yet.
The Sandboxing and Entitlements mechanisms are very different. Sandboxing can only drop access to resources, it cannot grant access that was not already there [1]. Entitlements are all about giving additional selective privileges or to make the sandbox NOT remove access (like full disk access or debug ability ). Entitlements are bound to processes only and are non-transferable. This is in contrast to a capability based system where they can be passed around. Reasoning about capabilities is challenging because analysis effectively requires global knowledge of the system. Binding entitlements to libraries or Frameworks would turn them into capabilities.
[1] a GUI app can restore access to files by using a trusted external selection process.
Edit: change footnote reference to prevent markup error.
This is true. I was being brash. Let me say instead that the split in reasoning and evaluation as it exists on macOS in this area is rough and potentially not needed. Granted, I don't have a better answer in my back pocket, and the fact that Apple has kicked the can for 15 years on trying to harmonize these is a sign it's hard.
Does this mean you tried to ship an App in the Apple App Store but could not because of some restriction?
If swift package manager is using it (I believe it is based on some of the error messages I occasionally see from it), deprecating it is difficult, since SPM is not distributed as an App Store app.
Meh, cron on OS X/macOS has been deprecated for over 20 years.
And its binary is banned on certain macOS installations. I have two identical mac minis with the very same OS version. On one cron runs, on the other the cron binary doesn't run (killed: 9) even if I re-sign the binary in different location with my own codesigning identity. It's that banned.
That's fascinating. I'd love to see a shasum tree of both OS installs to know if this was due to some path-dependent upgrade sequence one of the machines went through; or whether this is down to some sub-model-number hardware-component stepping issue with power efficiency or something, that only one of the machines is affected by, where the implemented launchd solution is "don't let cron run."
The one machine where cron was working, had crontabs prior to upgrade to 15.x. The other had none.
I have googled back then and discovered that yes Apple specifically want us to suffer with their braindamaged launchd instead of cron, and thus they went to extraordinary lengths to get rid of working tools.
Anyway, cron is easy to rebuild from sources, so that's what I did.
Why would Apple "ban" a binary they ship with the OS? If I just run /usr/sbin/cron on my Apple Silicon Mac, the output is "Killed: 9" but if I actually create a crontab for a user, it works.
crontab exits immediately on one of the macs. The other had crontabs prior to upgrading to 15.something.
[dead]