1 2 3 Previous Next 30 Replies Latest reply: Nov 26, 2013 1:03 PM by dotpage Go to original post
  • 15. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Hi,

     

    Any news on this one? I can see these messages as well, but like you said, there is no collabpp.sb profile to edit.

     

    2012-10-15 1:06:18.000 PM kernel[0]: Sandbox: sandboxd(20365) deny mach-lookup com.apple.coresymbolicationd

    2012-10-15 1:06:19.720 PM sandboxd[20365]: ([20362]) collabpp(20362) deny file-read-metadata /private/var/teamsserver

    2012-10-15 1:06:20.466 PM sandboxd[20365]: ([20362]) collabpp(20362) deny file-read-data /Library/Preferences/.GlobalPreferences.plist

    2012-10-15 1:06:21.327 PM sandboxd[20365]: ([20362]) collabpp(20362) deny file-read-data /Library/Preferences/.GlobalPreferences.plist

  • 16. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    petrahu Level 1 Level 1 (0 points)

    Edit the file

    /Applications/Server.app/Contents/ServerRoot/System/Library/Sandbox/Profiles/col labpp.sb

     

    add to the list of "allow file-read*":

          (literal "/Library/Preferences/.GlobalPreferences.plist")

    add to the list of "allow file-read-metadata":

         (literal "/private/var/teamsserver")

     

    and reboot.

     

    Regards.

    P.

  • 17. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Hey that worked. Thanks! I was looking in the wrong spot for the profile.

     

    I suppose I could use these general principles for other recognizable sandboxd errors (coresymbolicationd, mdworker).

  • 18. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    Michael Carter Level 1 Level 1 (0 points)

    Where did you find that documented?

  • 19. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    tim_r_66 Level 1 Level 1 (30 points)

    Petrahu,

     

    Adding your entries to my collabpp.sb fixed the errors in my log, but I'd be happy if you could explain why?  And, what is impacted by these changes?

     

    Also, I did a sudo mkdir /var/teamsserver and that seems to have cleared up those errors but doesn't seem to have impacted by wiki/webcal/group calendars issues.  Again, are you able/willing to explain the issue with the teamsserver and what is affected by clearning the error?

     

    Thanks!

     

    Tim

     

    Message was edited by: tim_r_66: meant to reply to Petrahu

  • 20. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    petrahu Level 1 Level 1 (0 points)

    The task of the apparmor process in Linux distributions is  similar.

    There are definitions about process permissions in some configuration files. I did a

    "find / -xdev -name \*collabpp\*",  found this file and my experience helped me.

     

    The missing directory /var/teamsserver seems to be a design error from Apple,

    I don't know.

     

    Regards.

    Petra


  • 21. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    - Krzysztof - Level 1 Level 1 (5 points)

    I'm trying to remove all errors, that are logged every five minutes.

    Some I found in the discussions and removed them.

     

    Jan 26 10:21:18 server com.apple.launchd[1] (com.apple.collabd.expire[1577]): Exited with code: 1

    Jan 26 10:21:18 server.mydomain.com sandboxd[1581] ([1578]): collabpp(1578) deny file-read-data /Applications/Server.app/Contents/ServerRoot/usr/lib/libpq.5.5.dylib

    Jan 26 10:21:18 server kernel[0]: Sandbox: sandboxd(1581) deny mach-lookup com.apple.coresymbolicationd

    Jan 26 10:21:21 server.mydomain.com collabd[154]: [CSContentService:47 411c000 +11ms] Detected Magic Superuser Auth Token

    I don't know what it is. Can someone help?

  • 22. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    ajm_from_WA Level 1 Level 1 (10 points)

    I am having similar problem, but i do not see the teamserver user in WGM, even after showing system records....

  • 23. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    Malbrouck Level 1 Level 1 (10 points)

    It seems the library version has increased. In the collabpp.sb file I found the line:

     

    (literal "/Applications/Server.app/Contents/ServerRoot/usr/lib/libpq.5.4.dylib")

     

    And I added just under it the line:

     

    (literal "/Applications/Server.app/Contents/ServerRoot/usr/lib/libpq.5.5.dylib")

  • 24. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    alexri Level 1 Level 1 (10 points)

    Even if I activate "show system entries" in Workgroup Manager I can't find the user "teamserver".

    Should I create it? What services creates it in general?

  • 25. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    - Krzysztof - Level 1 Level 1 (5 points)

    I can't find the callabpp.sb file.

     

    Where should it be?

  • 26. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    Trismegister Level 1 Level 1 (10 points)

    Some explanation of the sandbox technology and what these .sb file entries mean is given here.

  • 27. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    dotpage Level 1 Level 1 (0 points)

    Thanks all!

     

    Did it all, have less errors, but this persists:

     

    7/21/13 3:40:05.269 PM sandboxd[757]: ([753]) collabpp(753) deny file-read-data /Library/Preferences/.GlobalPreferences.plist

     

    Report:

     

    collabpp(753) deny file-read-data /Library/Preferences/.GlobalPreferences.plist

     

     

    Process:         collabpp [753]

    Path:            /Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp

    Load Address:    0x1098fa000

    Identifier:      collabpp

    Version:         ??? (???)

    Code Type:       x86_64 (Native)

    Parent Process:  launchd [1]

     

     

    Date/Time:       2013-07-21 15:40:04.749 -0500

    OS Version:      Mac OS X 10.8.3 (12D78)

    Report Version:  8

     

     

    Thread 0:

    0   libsystem_kernel.dylib                  0x000000010caed6c2 semaphore_wait_trap + 10

    1   libxpc.dylib                            0x000000010cbaee1f xpc_connection_send_message_with_reply_sync + 127

    2   CoreFoundation                          0x000000010a4ec1a0 -[CFPrefsPlistSource copyReplyForDaemonMessage:toConnection:error:] + 144

    3   CoreFoundation                          0x000000010a4ecda8 __33-[CFPrefsPlistSource synchronize]_block_invoke_0 + 296

    4   CoreFoundation                          0x000000010a4e8727 withDaemonConnection + 87

    5   CoreFoundation                          0x000000010a4ecb8c -[CFPrefsPlistSource synchronize] + 316

    6   CoreFoundation                          0x000000010a4eb9c1 -[CFPrefsPlistSource synchronizeIfStale] + 113

    7   CoreFoundation                          0x000000010a4eba9a -[CFPrefsPlistSource copyValueForKey:] + 42

    8   CoreFoundation                          0x000000010a4eaa33 -[CFPrefsSearchListSource copyValueForKey:] + 131

    9   CoreFoundation                          0x000000010a4e68a0 __CFPreferencesCopyAppValue_block_invoke_0 + 32

    10  CoreFoundation                          0x000000010a4ea008 +[CFPrefsSearchListSource withSearchListForIdentifier:perform:] + 824

    11  CoreFoundation                          0x000000010a3bf9ca CFPreferencesCopyAppValue + 186

    12  CoreFoundation                          0x000000010a407fb2 CFPreferencesGetAppIntegerValue + 34

    13  CFNetwork                               0x000000010c41eb74 DiagnosticLogging::userDiagnosticLevel() + 102

    14  CFNetwork                               0x000000010c41ead8 DiagnosticLogging::newMsg(LogFormatter::LineInfo const&, DiagnosticLogging::Level) + 22

    15  CFNetwork                               0x000000010c42d8ee DiskCookieStorage::initialize(MemoryCookies const*) + 356

    16  CFNetwork                               0x000000010c42d656 _createByFile(__CFDictionary const*) + 116

    17  CFNetwork                               0x000000010c42d47f _createByIdentifier(__CFDictionary const*) + 495

    18  CFNetwork                               0x000000010c42d118 cacheOrCreate(__CFDictionary const*, PrivateHTTPCookieStorage* (*)(__CFDictionary const*)) + 246

    19  CFNetwork                               0x000000010c42cdf1 _CFHTTPCookieStorageCreateWithProperties + 819

    20  CFNetwork                               0x000000010c42ca65 __copyCookieStorage_block_invoke_0 + 273

    21  libdispatch.dylib                       0x000000010c8ea0b6 _dispatch_client_callout + 8

    22  libdispatch.dylib                       0x000000010c8ea041 dispatch_once_f + 50

    23  CFNetwork                               0x000000010c42c93d StorageSession::copyCookieStorage() const + 83

    24  CFNetwork                               0x000000010c42bfc3 _CFHTTPCookieStorageGetDefault + 47

    25  Foundation                              0x0000000109cd57be -[NSHTTPCookieStorageInternal initWithSharedStorage] + 78

    26  Foundation                              0x0000000109cd573c -[NSHTTPCookieStorage(NSInternal) _initWithSharedStorage] + 90

    27  Foundation                              0x0000000109cd56c3 initSharedCookieManager + 40

    28  libsystem_c.dylib                       0x000000010c983ff0 pthread_once + 87

    29  Foundation                              0x0000000109cd5692 +[NSHTTPCookieStorage sharedHTTPCookieStorage] + 23

    30  WebKit                                  0x0000000109a696cc WKSetCookieStoragePrivateBrowsingEnabled + 28

    31  WebCore                                 0x000000011204edd2 WebCore::Settings::setPrivateBrowsingEnabled(bool) + 34

    32  WebKit                                  0x0000000109a18cb5 -[WebView(WebPrivate) _preferencesChanged:] + 1477

    33  WebKit                                  0x0000000109ac8d7e -[WebView(WebPrivate) _commonInitializationWithFrameName:groupName:] + 2382

    34  WebKit                                  0x0000000109a12e53 -[WebView(WebPrivate) _initWithFrame:frameName:groupName:usesDocumentViews:] + 195

    35  WebKit                                  0x0000000109a12c8f -[WebView initWithFrame:frameName:groupName:] + 255

    36  WebKit                                  0x0000000109a3eaac -[WebView initWithFrame:] + 60

    37  collabpp                                0x00000001098fdcb6 setupWebKitApp + 326

    38  collabpp                                0x00000001098ffe3a main + 1457

    39  libdyld.dylib                           0x000000010c9287e1 start + 0

     

     

    Thread 1:

    0   libsystem_kernel.dylib                  0x000000010caefd16 kevent + 10

    1   libdispatch.dylib                       0x000000010c8ec9ee _dispatch_mgr_thread + 54

     

     

    Thread 2:

    0   libsystem_kernel.dylib                  0x000000010caef6d6 __workq_kernreturn + 10

    1   libsystem_c.dylib                       0x000000010c984d13 _pthread_wqthread + 412

    2   libsystem_c.dylib                       0x000000010c96f1d1 start_wqthread + 13

     

     

    Thread 3:

    0   libsystem_kernel.dylib                  0x000000010caef6d6 __workq_kernreturn + 10

    1   libsystem_c.dylib                       0x000000010c984d13 _pthread_wqthread + 412

    2   libsystem_c.dylib                       0x000000010c96f1d1 start_wqthread + 13

     

     

    Thread 4:

    0   libsystem_kernel.dylib                  0x000000010caef6d6 __workq_kernreturn + 10

    1   libsystem_c.dylib                       0x000000010c984d13 _pthread_wqthread + 412

    2   libsystem_c.dylib                       0x000000010c96f1d1 start_wqthread + 13

     

     

    Binary Images:

           0x1098fa000 -        0x109906fff  collabpp (238.17) <A3A98098-2035-33FB-8D84-BCE39E0E0FCB> /Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp

           0x109a08000 -        0x109b93ff7  com.apple.WebKit (8536 - 8536.28.10) <792FA1F3-68F2-36F8-A070-898B3682F5DE> /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit

           0x109c9e000 -        0x109ffbff7  com.apple.Foundation (6.8 - 945.16) <89BD68FD-72C8-35C1-94C6-3A07F097C50D> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

           0x10a372000 -        0x10a55cff7  com.apple.CoreFoundation (6.8 - 744.18) <A60C3C9B-3764-3291-844C-C487ACF77C2C> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

           0x10c3c0000 -        0x10c535fff  com.apple.CFNetwork (596.3.3 - 596.3.3) <3739DC8D-8610-3740-80EC-43E130779CB8> /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork

           0x10c8e8000 -        0x10c8fdff7  libdispatch.dylib (228.23) <D26996BF-FC57-39EB-8829-F63585561E09> /usr/lib/system/libdispatch.dylib

           0x10c926000 -        0x10c929ff7  libdyld.dylib (210.2.3) <F59367C9-C110-382B-A695-9035A6DD387E> /usr/lib/system/libdyld.dylib

           0x10c96e000 -        0x10ca3aff7  libsystem_c.dylib (825.26) <4C9EB006-FE1F-3F8F-8074-DFD94CF2CE7B> /usr/lib/system/libsystem_c.dylib

           0x10cadd000 -        0x10caf8ff7  libsystem_kernel.dylib (2050.22.13) <5A961E2A-CFB8-362B-BC43-122704AEB047> /usr/lib/system/libsystem_kernel.dylib

           0x10cba3000 -        0x10cbc5ff7  libxpc.dylib (140.42) <BBE558BD-5E55-35E4-89ED-1AA6B056D05A> /usr/lib/system/libxpc.dylib

           0x111ff1000 -        0x112faefff  com.apple.WebCore (8536 - 8536.28.10) <89CDA119-0FC8-3D0E-87B8-AB96BE6D1A36> /System/Library/Frameworks/WebKit.framework/Versions/A/Frameworks/WebCore.frame work/Versions/A/WebCore

     

     

    FILE:

     

    (version 1)

    (import "system.sb")

    (deny default)

     

     

    (allow authorization-right-obtain

           (right-name "system.privilege.admin"))

     

     

    (allow file-read*

           (literal "/")

           (literal "/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/ CSLogging.framework/Versions/A/CSLogging")

           (literal "/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/ CSService.framework/Versions/A/CSService")

           (literal "/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/ PostgreSQLClient.framework/Versions/A/PostgreSQLClient")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/lib/libpq.5.4.dylib")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/lib/libpq.5.5.dylib")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp.strip/..namedfo rk/rsrc")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp/..namedfork")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp/..namedfork/rsr c")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/sbin")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/share/collabd/coreclient/loca les/en.lproj/default.strings")

           (subpath "/Library/Server/Wiki")

           (subpath (param "FileDataPath"))

           (subpath "/Library/Fonts")

           (subpath "/System/Library/Fonts")

           (literal "/private/var/db/mds/messages/se_SecurityMessages")

           (literal "/Library/Server/Wiki/Logs/preview_generator.log")

           (literal "/private/tmp/kick-collabpp/kick")

           (subpath "/Library/Internet Plug-Ins")

           (subpath "/private/var/folders"))

           (literal "/Library/Preferences/.GlobalPreferences.plist")

     

     

    (allow file-read-metadata

           (literal "/Applications")

           (literal "/Applications/Server.app")

           (literal "/Applications/Server.app/Contents")

           (subpath "/Applications/Server.app/Contents/ServerRoot")

           (literal "/Library")

           (literal "/Library/Server")

           (literal "/private/var"))

           (literal "/private/var/teamsserver")

     

     

    (allow file-write*

           (subpath (param "FileDataPath"))

           (literal "/private/var/teamsserver")

           (literal "/private/tmp/kick-collabpp/kick")

           (literal "/Library/Server/Wiki/Logs/preview_generator.log")

           (subpath "/private/var/folders"))

     

     

    (allow iokit-open

           (iokit-user-client-class "IOHIDParamUserClient")

           (iokit-user-client-class "RootDomainUserClient"))

     

     

     

     

    (allow mach-lookup

           (global-name "com.apple.CoreServices.coreservicesd")

           (global-name "com.apple.FontObjectsServer")

           (global-name "com.apple.FontServer")

           (global-name "com.apple.SecurityServer")

           (global-name "com.apple.SystemConfiguration.SCNetworkReachability")

           (global-name "com.apple.SystemConfiguration.configd")

           (global-name "com.apple.cookied")

           (global-name "com.apple.decalog4.incoming")

           (global-name "com.apple.distributed_notifications@1v3")

           (global-name "com.apple.dock.server")

           (global-name "com.apple.ls.boxd")

           (global-name "com.apple.networkd")

           (global-name "com.apple.pasteboard.1")

           (global-name "com.apple.system.opendirectoryd.api")

           (global-name "com.apple.window_proxies")

           (global-name "com.apple.coreservices.appleevents")

           (global-name "com.apple.windowserver.active"))

     

     

    (allow process-exec

           (literal "/System/Library/Frameworks/WebKit.framework/WebKitPluginHost.app/Contents/MacO S/WebKitPluginHost")

           (literal "/Applications/Server.app/Contents/ServerRoot/usr/sbin/collabpp")

           (literal "/bin/chmod"))

     

     

    (allow process-fork)

     

     

    (allow mach-per-user-lookup)

     

     

    (allow network-outbound)

    ;(allow network-outbound

    ;       (literal "/private/var/pgsql_socket/.s.PGSQL.5432")

    ;       (literal "/private/var/run/mDNSResponder")

    ;       (remote tcp "*:80"))

     

     

    (allow system-socket)

     

     

    ;(allow ipc-posix-shm

    ;        (regex #"^/tmp/com.apple.csseed.[0-9]+$"))

     

     

    ; deny file-read-metadata /private/var/db/mds/system/mdsObject.db

    ; deny file-read-metadata /Library/Preferences/com.apple.security.plist

    ; deny file-read-data /Library/Preferences/com.apple.security.plist

    ; deny file-read-metadata /Library/Keychains

    ; deny file-read-metadata /Library/Keychains/System.keychain

    ; deny file-read-metadata /private/var/db/mds/system/mdsObject.db

     

     

     

     

    (allow ipc-posix-shm)

  • 28. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    Tian Hou Level 1 Level 1 (5 points)

    Maybe misplaced parentheses in (allow file-read* …

     

           (subpath "/private/var/folders"))

           (literal "/Library/Preferences/.GlobalPreferences.plist")

     

    shouldn't that be:

     

           (subpath "/private/var/folders")

           (literal "/Library/Preferences/.GlobalPreferences.plist"))

  • 29. Re: collabpp deny file-read-data /Library/Preferences/.GlobalPreferences.plist
    Gordon MacKay Level 1 Level 1 (0 points)

    If not using wiki, then:

     

    launchctl unload -w

    /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/

    com.apple.collabd.plist

     

    will unload the service that is spawning the errors.

     

    If using wiki, see below.