Sandbox violations by MacOS-native-services (Family, imagent and searchpartyuseragent) leading to diagnostic runs and contactsd hogging resources

// Console (filtering kernel errors)

//sudo dtruss -p <Family PID>

SYSCALL(args) = return
kevent_id(0x14F705260, 0x16D8DA518, 0x1) = 0 0
workq_kernreturn(0x100, 0x16D9F2B80, 0x1) = 0 Err#-2
write_nocancel(0x2, "CoreData: fault: Unable to create token NSXPCConnection.  NSXPCStoreServerEndpointFactory 0x150863e30 -newEndpoint returned nil\n\0", 0x80) = 128 0
ulock_wait(0x1050002, 0x102994A00, 0x4E52) = 0 0
ulock_wake(0x1000002, 0x102994A00, 0x0) = -2 0
madvise(0x14F820000, 0x4000, 0x7) = 0 0
proc_info(0x2, 0x327, 0xD) = 64 0
fstat64(0x2, 0x16D8DA890, 0x0) = 0 0
writev(0x2, 0x16D8DA838, 0x3) = 79 0
__semwait_signal(0x903, 0x0, 0x1) = -1 Err#60
write_nocancel(0x2, "CoreData: error: addPersistentStoreWithType:configuration:URL:options:error: returned error NSCocoaErrorDomain (134060)\n\0", 0x78) = 120 0
statfs64(0x14F7107C0, 0x16D8DAC90, 0x0) = 0 0
open("/var/db/timezone/zoneinfo/GMT\0", 0x0, 0x0) = 3 0
getentropy(0x16D8DB7A8, 0x20, 0x0) = 0 0
bsdthread_ctl(0x100, 0x8FF, 0xFFFFFFFF) = 0 0

// codesign -d --entitlements :- /System/Library/CoreServices/Family.app/Contents/MacOS/Family

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.application-identifier</key>
        <string>0000000000.com.apple.Family</string>

        <key>com.apple.biome.compute.publisher.service</key>
        <true/>

        <key>com.apple.developer.associated-domains</key>
        <array></array>

        <key>com.apple.payment.all-access</key>
        <true/>

        <key>com.apple.payment.amp-card-enrollment</key>
        <true/>

        <key>com.apple.payment.card-on-file</key>
        <true/>

        <key>com.apple.private.accounts.allaccounts</key>
        <true/>

        <key>com.apple.private.biome.client-identifier</key>
        <string>0000000000.com.apple.Family</string>

        <key>com.apple.private.biome.read-only</key>
        <array>
            <string>FindMyLocationChange</string>
        </array>

        <key>com.apple.private.bmk.allow</key>
        <true/>

        <key>com.apple.private.familycircle</key>
        <true/>

        <key>com.apple.private.followup</key>
        <true/>

        <key>com.apple.private.in-app-payments</key>
        <true/>

        <key>com.apple.private.security.storage.familycircled</key>
        <true/>

        <key>com.apple.private.swc.system-app</key>
        <true/>

        <key>com.apple.private.tcc.allow</key>
        <array>
            <string>kTCCServiceAddressBook</string>
        </array>

        <key>com.apple.security.app-sandbox</key>
        <true/>

        <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
        <array>
            <string>/Library/Caches/FamilyCircle/</string>
        </array>

        <key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
        <array>
            <string>com.apple.biome.PublicStreamAccessService</string>
            <string>com.apple.biome.access.user</string>
            <string>com.apple.biome.compute.publisher.service.user</string>
            <string>com.apple.AddressBook.ContactsAccountsService</string>
            <string>com.apple.biome.compute.source.user</string>
            <string>com.apple.passd.library</string>
            <string>com.apple.passd.in-app-payment</string>
            <string>com.apple.passd.library</string>
            <string>com.apple.passd.payment</string>
        </array>

        <key>com.apple.security.temporary-exception.shared-preference.read-write</key>
        <array>
            <string>com.apple.FamilyCircle</string>
        </array>
    </dict>
</plist>

// log show --predicate 'process == "contactsd"' --info --last 1h

Ran into sandbox violations on my Macs, similar to this. I dove deep, disabled SIP for dtruss. Noticed Family, imagent, and searchpartyuseragent consistently hitting barriers with com.apple.contactsd.persistence. Checked entitlements of these client apps, none explicitly allowed contactsd. Logs from syslog and dtruss confirmed contactsd blocking connections due to missing entitlements. Seems like a bug.

Any news on this?

Post the Etrecheck data, please? Download that, run, share the generated hardware and software configuration report to the clipboard, then open a new reply here, and use the Additional Text button and paste and post the report here.

flindeberg wrote:

What do you except to find that affects the behaviour of Apple-signed binaries part of their core offering in the report provided by Etrecheck? Etrecheck seems to be completely userland AFAIK.

No kernel extensions ("Kexts") or similar loaded which can affect the processes mentioned in the OP.

I don’t know what to expect to find, which is why I asked for the inventory.

Lots of stuff can be involved here.

Kernel extensions are one of many potential issues.

This could be add-on apps, could be a TCC corruption, some local or iCloud corruption, or could be something caused by that “I have no idea how I did this” mentioned earlier. Lots of things can cause some Apple or third-party apps to hog two cores, too. Bugs, configuration errors, conflicts with add-on apps (anti-malware, VPNs, cleaners, etc). Sometimes that core usage an issue, and sometimes it’s something doing its job in the background. You’re way closer to those Macs than we are too, and with physical access too. Which is all part of why I’d asked for the inventory.

I wish you well with these Macs and with this issue, and will be unfollowing the thread.

Never look at the logs. I've seen more than one person lose their minds that way. I'm not joking.

If you are experience some specific problem, then describe that problem in detail. If that is happening, then an EtreCheck report might help to identify what 3rd party scam ware is causing it.

flindeberg wrote:

What do you except to find that affects the behaviour of Apple-signed binaries part of their core offering in the report provided by Etrecheck? Etrecheck seems to be completely userland AFAIK.

Not sure what you mean there. EtreCheck is just a regular app, but it can identify and list any 3rd party system modifications. EtreCheck doesn't make any changes. It just lists what it finds.

No kernel extensions ("Kexts") or similar loaded which can affect the processes mentioned in the OP.

Belly laughs on that one! 😄

I can't tell you any more than I already have. If you are experiencing a specific problem where an app is not behaving as you would expect, or how it is documented to behave, then you should start a new question and describe that unexpected behaviour in detail.

Don't look at log files, not for any reason. They are absolutely meaningless. I know this doesn't make sense, but you have to believe me here. There are hundreds of system tasks running constantly. They are constantly spitting out all kinds of bad-sounding error messages.

That's all 100% normal. I just fired up Console for a quick sample. (Alas, it crashed. Let's try that again. 😄 ) Only 77 messages per second. 4 are red critical errors and 94 are warnings. And remember, I run a tight ship with a minimum of 3rd party system modifications. And I'm still on Monterey. (I should say I'm back on Monterey after Apple forced an upgrade to Sonoma the other day.)

Like every other Mac users, you are swimming in a sea of error messages. You can either focus on what you bought that computer to do, or go to war with the never-ending waves of bugs. Your choice.

flindeberg wrote:

How is "hogging around 2 CPUs" not a specific problem?

It might be a problem, but a very nebulous one. What is your definition of "hogging"? In what context? For how long? What tasks?

If you have any insight into sandbox-operations for MacOS for system builtins, please advice.

I do. Ignore them.

For example, do you know how to enable sandbox violation reports for system builtins, similar to how you can gather violation reports for userland processes? (i.e. Discovering and diagnosing App Sandbox violations | Apple Developer Documentation)

That's developer documentation. It is intended for 3rd party developers only. If a 3rd party app has sandbox violation errors, it may be doing something wrong. It could be in violation of some Apple or App Store policy. Those are all bad things. None of that applies to Apple's own software.

As noted in Understanding Sandbox Violations f… | Apple Developer Forums, Apple will not provide developer support for their own binaries.

Apple only provide support for developers using official Apple APIs. If my app was emitting sandbox violations, then Apple might provide support by helping me eliminate them. But then again, they might not. The first thing I would check is to make sure I'm doing everything correctly. Then I could check to see if other developers are experiencing the same messages with the same APIs. I might even check Console to see if Apple's own apps emit the same errors. If it all looks good, then I'll just ignore it. This is typical developer experience. Each new OS version and new Xcode version comes with an annoying set of errors that it spits out with normal operations.

But none of that is anything that you need to worry about.

flindeberg wrote:

But I cannot use it for what I bought it for, right?

Right? I don't know what you are asking. Why can't you use it? Please be specific.

Try running `diagnosticd` every ten seconds and you'll understand what I mean :-)

(you can simulate it with Shift + Command + Control + Option + period)

That's the keystroke combination for a sysdiagnose. That doesn't have anything to do with diagnosticd. A sysdiagnose will significantly reduce your performance. Why would you ever do that? And why every ten seconds? Don't do that at all.

It's all in the OP. `contactsd` is long-running

Anything that ends with a "d" is a daemon. These are processes owned by root. Typically they run constantly, 24/7, 365 days a year (366 this year).

as you can see it has accrued around 6h of CPU time over a calendar span of roughly 24 hours, 18 or so of them which the computer was not sleeping.

I actually can't see anything on your computer. All I know is what you tell me. And you simply aren't saying anything.

Since `diagnosticsd` instances a new process per run I don't have the same statistics for that.

Don't run that.

To be very blunt with words, `contactsd` has consumed more computational power than the processes drawing pixels have.

`Family`, which I now realise after digging (*probably*) is the agent behind the family pane of preferences, is one of the culprits behind the scenes, i.e. an instigator of the initial mach-lookup deny (with seven retries followed by a diagnostics run). `imagent` and `searchpartyuseragent` are being used a bit all over the place, it seems like, so it is harder to track down exactly what gets them going.

OK. I think I get it. Do you have the same problem described in this thread? contactsd causing high CPU and memory usa… - Apple Community

Forget running Console. Forget sandbox violations. Forget diagnosticd. None of that means anything. This is a Google bug. You'll have to take it up with them.