'xattr' command not working inside sandbox app
Asked Answered
M

0

2

We were working on an IDE for a long time and it has com.apple.security.app-sandbox mode. User can download requisite SDK from internet (out of the box) and use in our IDE for development. Prior to use those SDK file we many time noticed files have quarantine attributes (com.apple.quarantine). Such files were forbidden to use inside a sandbox app in El Capitan due to it's tighter restriction policies. To overcome such blocker we decides to run a bash script prior to use those SDK files inside our IDE:

#!/bin/bash
SDKPATH=$1
xattr -d -r com.apple.quarantine "$1"

To run this smoothly we added this following entitlement in our app:

<key>com.apple.security.scripting-targets</key>
<dict>
   <key>com.apple.Terminal</key>
   <array/>
</dict>

From an installed app, this never worked in El Cap. Finally we found this particular entitlement usage can only make the bash script working properly:

<key>com.apple.security.temporary-exception.apple-events</key>
<array>
    <key>com.apple.terminal</key>
</array>

Unfortunately Apple review teams were pretty restrictive to give usage permission to above entitlement.

Is there any other known way or entitlement use that can make us run the 'xattr' command and remove extended attributes from our app?

Monadelphous answered 8/8, 2016 at 5:27 Comment(1)
isn't that what sandboxing is about? hardening the system to block downloaded code and only let it run with users consent?Kauffmann

© 2022 - 2024 — McMap. All rights reserved.