I'am triying to sandbox an application. But when a launch commad on syslog appears this message:
sandboxd[2890] ([2891]): Appx(2891) deny forbidden-exec-sugid
I the aplication this message appears:
## exec failed ##
login Operation not permitted
Has anybody had any idea about which operation is needed to configure in custom profile to allow?
Some one can help me with manual with all operations of sandbox.
I'm guessing around what's happening here...
Whatever you're attempting to run here - presumably a syslog daemon? - is likely trying to start and run as root, and that's not something that a sandboxed application is going to allow. You're likely going to need to figure out another way to implement your particular requirements here; to start this daemon, or whatever is going on. (Or file a radar with Apple, explaining why you need this capability from within a sandbox.)
For a bigger audience of folks that deal with this stuff and that might have some better alternatives (than those I know of), you'll probably want to use the Apple developer forums for this and other sandbox-related questions. Failing access to those forums, the Cocoa mailing list has been seeing some sandboxing discussions; check the mailing list archives, and (if you don't find anything there) post your question there.
Let me explain,
I downloaded iTerm app. So i want to restrict network access only certain ip address, by example: only connect to ip address: 172.21.1.5, 172.21.1.45.
When i run next command: sandbox-exec -f prueba.sb /Applications/iTerm.app/Contents/MacOS/iTerm, iTerm crash and then when I view syslog file I found next messages :
sandboxd[4438] ([4437]): iTerm(4437) deny forbidden-exec-sugid
lsboxd[619]: Denied process 4436(UNKNOWN) access to shared list com.googlecode.iterm2.SandboxedPersistentURLs.LSSharedFileList
prueba.sb has:
(version 1)
(allow default)
It just sounds like iTerm doesn't handle the unexpected failure. You can't blame iTerm when you try to run it in a more restricted environment than it expects.
And AFAIK, sandboxing is also unaware of specific IP addresses, too; it's just not that granular. Applications get the com.apple.security.network.client and com.apple.security.network.server entitlements; those allow connections to be established as a client or as a server.
Recoding one of the open-source terminal tools more restrictively would likely be feasible approach. If that's what you're up to here, then see the available Apple sandbox documentation. for details on what this tool is doing that's incompatible with the sandbox.
And again, the developer forums or the mailing lists would be a better spot for this, too. More folks that deal with sandboxing lurk elsewhere, so better alternatives and options for you.
Sandbox manual and forbidden-exec-sugid
