Sandbox Violation on Runtime Exec
David DeHaven
david.dehaven at oracle.com
Tue Jun 12 13:45:46 PDT 2012
>> Can anyone explain why that would be?
>
> For Runtime exec the command runs in some kind of subprocess. I'm not familiar with sandboxed yet but does it pass entitlements through to subprocesses?
> If thats it and theres no way to give the subprocess the same entitlements NSTask and jni might be how you have to go?
Sorry for the long URL:
https://developer.apple.com/library/mac/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html
(read "XPC and Privilege Separation")
In short, sub-processes spawned with POSIX calls or NSTask inherit the parent process entitlements. If you want different entitlements you need to create an XPC service, which runs in it's own sandbox and communicates with the parent process.
-DrD-
More information about the macosx-port-dev
mailing list