Xcode Build Script Sandboxing
source link: https://indiestack.com/2023/06/xcode-build-script-sandboxing/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Xcode Build Script Sandboxing
Apple added a new build setting to Xcode last year, ENABLE_USER_SCRIPT_SANDBOXING, which controls whether any “Run Script” build phases will be run in a sandbox or not. From the Xcode 14 Release Notes:
You can now enable sandboxing for shell script build phases using the ENABLE_USER_SCRIPT_SANDBOXING build setting. Sandboxing blocks access to files inside the source root of the project as well as the Derived Data directory unless you list those files as inputs or outputs. When enabled, the build fails with a sandbox violation if a script phase attempts to read from or write to an undeclared dependency, preventing incorrect builds.
If I noticed it last year I had already forgotten about it, but I was reminded today while putting together a sample app to demonstrate a bug I was reporting. How was I reminded? Because evidently, starting in Xcode 15, the build setting now defaults to YES. I had added a custom Run Script phase to my project in order to finesse the contents of the built product, but when the script ran I was greeted with this error:
error: Sandbox: cp(25322) deny(1) file-read-data /Users/daniel/Project/File.txt
Luckily when I searched the build settings for the word “sandbox” it turned up the setting, and I was able to turn it off. If you run into this with your projects, it sounds like a better fix is to specify the specific input and output files so that the script phase is allowed access only to the files you think it should be working with.
Recommend
-
127
Bubblewrap Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers. These tool...
-
232
-
107
Linux sandboxing improvements in Firefox 57 Firefox 57 not only ships a large amount of performance improvements and a UI refresh, it also contains a number of technological improvements under the hood. One of these is that the security...
-
48
The Super Capsicumizer 9000 capsicumizer is a sandbox launcher that imposes Capsicum capability mode onto an unsuspec...
-
34
Image: Google Google has open-sourced today a project for sandboxing C and C++ libraries ru...
-
48
README.md Lucet
-
21
Did you know...? LWN.net is a subscriber-supported publication; we rely on subscribers to keep the entire operation going. Please help out by buying a su...
-
31
As the maintainer of RSwitch — and developer of my own (for personal use) macOS, iOS, watchOS, iPadOS and tvOS apps — I need the full Apple Xcode install around (more R-focused macOS...
-
6
Xcode - Add a delay to the instrument script advertisements How do you add a delay in an Xcode Instruments UI script? I have a view that can t...
-
7
Let’s build something Outrageous – Part 23: Sandboxing The idea of using a programing language as the way to write queries against the database makes many security folks hyperventilate. In order to lower th...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK