When viewing ~/Library/Containers not all com.Foo.Bar/ folders are visible. They can be accessed using the terminal but is there a way to make them visible in the viewer as well? Why are some folders hidden like this? Edit: ls -delO@ results Visible folder:

com.apple.containermanager.identifier	 18
	com.apple.containermanager.schema-version	  2
	com.apple.containermanager.uuid	 36

Invisible folder:

com.apple.FinderInfo	 32
	com.apple.containermanager.identifier	 25
	com.apple.containermanager.schema-version	  2
	com.apple.containermanager.uuid	 36
	com.apple.data-container-personality	260056

I’m about to install a privacy-unfriendly app from the Mac App Store, so I want to know whether sandboxed Mac App Store–distributed apps can still access unique hardware identifiers (for example, the machine’s serial number) or are limited to non-unique IDs such as IDFA, IDFV, or app-generated UUIDs. On macOS—outside the App Store sandbox—apps can easily query the system for the machine’s serial number and other unique hardware identifiers. My question is: under Apple’s sandbox rules for Mac App Store apps, is access to the Mac’s serial number (and similar device-unique identifiers) blocked? Or can a sandboxed App Store app still read those values? Specifically: • Which hardware or system identifiers are accessible to a sandboxed macOS app installed via the App Store? • Does the App Store sandbox policy explicitly prevent reading the serial number or other device-unique values? • If those identifiers are blocked, what alternative identifiers (if any) can App Store apps use on macOS for analytics or user tracking purposes? Any pointers to relevant Apple documentation, entitlement requirements, or API behavior would be greatly appreciated.

I have built apache http server from source in macosx monterey. If I run from a logged in user its ok. I have created a launch daemon script in /Library/LaunchDaemons to launch it every 5 seconds with apachectl start because I have the files in USB removable drive. When launchd tries to start the server I get access denied from the sandboxd while httpd is trying to read files off the USB drive. How do I get around this ?

I'm running MacOS Catalina. How can I tell if a particular MacOS App downloaded from the Internet is notarized and/or sandboxed?

Since installing OSX 10.10 (Yosemite), my console is full of error messages regarding fmfd, like fmfd(384) deny file-read-metadata /Volumes/Macintosh HD This happens mostly at startup and when starting programs. I just want to know what it is, for my peace of mind and that my console can lose some weight ;) Here´s some more (hopefully useful) information from one report: fmfd(384) deny file-read-metadata /Volumes/Macintosh HD Process: fmfd Path: /usr/libexec/fmfd Load Address: 0x105f38000 Identifier: fmfd Version: ??? (???) Code Type: x86_64 (Native) Parent Process: launchd Date/Time: 2014-10-21 17:13:10.336 +0200 OS Version: Mac OS X 10.10 (14A389) Report Version: 8 Can you help me with that, or assure me it´s harmless? I don´t necessarily want to allow the process more rights in the sandbox if not necessary, like they did in https://discussions.apple.com/thread/5495141?start=15&tstart=0

Given that signature checks for kernel extensions and executables are both carried out in userspace, this tells me that SIP and the sandbox aren't running when launchd is still the only process running. But, I can't be sure, so I ask: is launche completely unconfined by the security features that were introduced by SIP (e.g., Sandbox, AMFI, entitlements, SIP, etc.)?

I've written a small shell script that downloads some server data and saves them into a restic repository. The restic repository files are on a mounted volume. The script works fine if I run it in the Terminal. To run this script daily I created a launchd .plist file in ~/Library/LaunchAgents Watching the output logs, I can see that the restic command fails to access its files. The system logs show a sandboxd warning that blocked restic. I've granted Full Disk Access to the restic binary, but that didn't do the trick. What am I missing?

Not often I need to do something very unique and specific on my m1 (apple silicon) macbook air. Something like: * I'll be interested in video game emulation, and need very specific controller support, and be downloading apps to run games. * I'll need to convert or edit videos, and download a bunch of tools to get what I need to do done. * I'll be interested in some obscure new terminal-based command for a programming language I found trending. * Software for specific micro-controllers / burners In all of these cases, there's a novel and new software I'm installing on my system, and generally I have to _**trust**_ that none of this code is malicious, installs something that runs in the background, tracks my keyboard, or gets access to my personal files. 1. Is this a reasonable fear? 2. Is there a way to run this code in isolation from the rest of my system? Ideally I could spin up some kind of sandbox, download the apps or terminal commands run what I need and possibly delete the sandbox as if it never existed. Ideally there's no hit to performance, and it's not cumbersome to use. I thought about using different mac profiles, but I know some apps install on a whole disk, and anything installed by the admin has admin access no?

I need to run Brave on my Mac Sonoma 14.3 (M2 Mac). Unfortunately, it is a managed device and I cannot install Brave directly. I may, anyhow, virtualise it. Installing a full-fledged OS in a Parallels-VM just to run Brave seems a little over the top for me though. I was hoping for a more Docker-like approach that would allow me to install and run Brave in a sandbox. Is there something like this or is Parallels the only viable approach?

In my XCode project, I have a Python script I'm running as one of my build phases. However, it's failing to open a file with the error:

Sandbox: Python(22805) deny(1) file-read-data

How can I give Xcode/Python permission to read this file?

When saving a Microsoft Word document directly to a SMB share which was mounted using a bookmark and authenticated with an Open Directory "Network User Account", the saved document becomes invisible. This seems to be caused by the quarantine flag, which all network shares have when mounted with a bookmark (or AppleScript, for that matter). The flag can be seen by using the mount command in Terminal.app: % mount //test@someServer.local/test on /Volumes/test (smbfs, nodev, nosuid, quarantine, mounted by someUser) **Questions:** 1. Is there a way to create a SMB bookmark that doesn't result in the mounted volume having the quarantine flag? 2. Is there a way to prevent Word.app (or whatever process is responsible) from making the file invisible? **Affected Environment:** - macOS Server versions: macOS 11, 10.15, 10.14, 10.13, 10.12 and possibly others - macOS Client versions: macOS 11, 10.15 and possibly others - Word versions: 16.48, 16.46, 16.45 and possibly others - Local user account type: irrelevant; happens to admins, regular users and guests - User account type to connect to SMB share: "Network User Account" via Apple Open Directory and possibly other directory accounts **Steps to reproduce:** 1) Open Finder 2) Press Cmd-K to connect to a server 3) Enter server address "smb://someServer" (where someServer can be a domain or an IP address) 4) Select the entered server address and drag it to the desktop, thereby creating a bookmark to the specified SMB server 5) Double-click bookmark the open it. The typical dialog prompting for user credentials should appear. 6) Enter your user credentials (of a network user account from Open Directory) 7) Mount any share 8) Open Word.app 9) Create a new document and enter some text 10) Save the document on the mounted share Result: The saved document might appear for an instant, but will then vanish. It can be made visible again using chflags nohidden, so it actually is saved but just made invisible by some unknown process.

I like to know if there is a guideline or some special way to submit a macOS app to app store without having sandbox, let say you have an app that you need to remove sandbox to this app works, is there a special treatment for that if we want submit our app to app store? or there is absolute no way for submitting a macOS app without sandbox and we have to lunch it as third party on a custom website?

Since 2016, Microsoft Excel has run in an [App Sandbox](https://developer.apple.com/documentation/security/app_sandbox) on macOS. This means that a HYPERLINK function which points to a local path, like HYPERLINK("/Users/me/Desktop/example.pdf"), won't work. Clicking the hyperlink produces this error: The error can be worked around with this method of accessing files from the macOS App Sandbox : > The operating system implicitly starts security-scoped access on URLs passed from open panels, save panels, or **items dragged to your app’s icon in the Dock** … When the URL your app receives from a standard user interface interaction represents a folder, **the operating system extends your app’s sandbox to items within that folder, and recursively in nested folders**. Some items within the folder could still be inaccessible for other reasons. See “Diagnose other reasons your app can’t access a file,” below. That is, once the linked file, or its parent directory (in the above example /Users/me/Desktop), has been dragged from Finder to the Excel icon in the Dock, the link will work. However, this technique is not intuitive and there is no visual feedback to indicate that it has been performed correctly. I haven't been able to get the technique to work on all Macs. Sometimes, I have to take the additional step of creating a manual link to the parent directory with ⌘K (Insert Link) rather than the HYPERLINK function. Following this link will grant the permission required for function-based links into the specified directory to work. But this is also unintuitive because the open panel won't let you select a directory. You need to choose a file in the directory, then delete the filename from the end of the completed Address. Is there a simpler and more consistent way to work around the "Cannot open the specified file" error for HYPERLINK functions in Excel for Mac?

*Summary*: I migrated my user data to a new APFS volume to mitigate upgrade issues with Ventura, but I am now experiencing high CPU usage with syncdefaultsd and secd due to permission issues. I need help to adjust Sandbox settings without breaking the security or stability of the system. -------- *Details*: After some very lengthy "wars" with a multi-failed attempt to "upgrade" to Ventura, I was finally able to get some relief/success by first migrating my user data to a new APFS volume that lives beside the "system" volume. Apparently Apple engineers seem to believe this is the best course of action presently so as to mitigate "headaches" from failed upgrades and other issues... When doing this I discovered that this works rather well, but I noticed that syncdefaultsd was running quite high on the CPUs. Looking into the logs more closely I found that both it and secd are having a problem with permission to the new user storage location, eg my new home folder is at /Volumes/data/Users/username and the error in question is:

...
1			kernel	Sandbox: secd(16636) deny(1) file-write-create /Volumes/data/.TemporaryItems/folders.501/TemporaryItems/path	0	0: 0x95619f	error	17:57:51.167515-0400
...
1			kernel	Sandbox: syncdefaultsd(670) deny(1) file-write-create /Volumes/data/.TemporaryItems/folders.501/TemporaryItems/path	0	0: 0x956f00	error	17:58:00.614794-0400
...

What is the appropriate or acceptable method to deal with this without breaking Apple's methodology here? Clearly (Seatbelt) Sandbox isn't configured to facilitate this and/or some system setting in Ventura is not liking the *automatic* move that macOS did to put .TemporaryItems into the new volume's root path. I don't like the idea of removing all permissions on the drive and if I manually set them, a system service automatically re'chowns the folder to root:wheel, so I'm not seeing any clean or clear paths past this. Another option, that would not be considered kosher, is to mount the System volume +rw and modify com.apple.secd.sb and com.apple.syncdefaultsd.sb in /System/Library/Sandbox/Profiles/ so as to add:

(allow file-write-create
    (subpath "/Volumes/data/.TemporaryItems"))

Such that com.apple.secd.sb would be:

(version 1)

(deny default)

(import "system.sb")

(allow file-write-data
    (literal "/dev/random"))

(allow file-write-create
    (subpath "/Volumes/data/.TemporaryItems"))

(allow file-read* file-write*
    (subpath "/private/var/db/mds")
...

And com.apple.syncdefaultsd.sb would have this inserted:

...
(allow user-preference-read
    (preference-domain "com.apple.CloudKit")
    (preference-domain "kCFPreferencesAnyApplication"))

;; Read/write access to a temporary directory
(allow file-read* file-write*
    (subpath (param "TMPDIR"))
    (subpath (param "DARWIN_CACHE_DIR"))
    (subpath "/Volumes/data/.TemporaryItems"))
       
;; Read ourselves
(allow file-read*
    (subpath (param "SELF_PATH")))
...

But this is clearly both fragile and "insecure"... Thus my question: how *should* such a situation be handled when moving the home folder to a different volume and needing to accommodate Apple's Sandboxing? ------- As requested, here's the process I followed to "move" my user folder to the new APFS volume: - Installed new system - Upon user creation created user with same username as before - Make new "admin" user and login as such - Created new APFS volume - sudo rsync -avEX --progress /Users /Volume/data/ - cd /Volume/data/Users - sudo rsync -avEX /Volume/data/Users/newly_created_username/ /Volume/data/Users/username.new_empty_username_backup - sudo rsync -avEX --progress --remove-source-files /Volume/old_system/Users/username/ /Volumes/data/Users/newly_created_but_same_as_original_username/ - Sanity check ownership, just in case so that UIDs match: sudo chown -R username:staff /Volumes/data/Users/newly_created_but_same_as_original_username/ - Log out and back in as username - deal with TCC, etc. and start using system.

I'm getting two errors in the console at the same time TimeMachine is running and taking FOREVER to make any progress. 1/4/13 9:41:38.000 PM kernel: Sandbox: sandboxd(5838) deny mach-lookup com.apple.coresymbolicationd The second entry is : mdworker32(5837) deny mach-lookup com.apple.PowerManagement.control (import fstype:hfs fsflag:480D000 flags:200000056 diag:0 uti:com.microsoft.excel.openxml.addin plugin:/Library/Spotlight/Microsoft Office.mdimporter - find suspect file using: sudo mdutil -t 861170) It has the following details: Process: mdworker32 Path: /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker32 Load Address: 0xb3000 Identifier: mdworker32 Version: ??? (???) Code Type: i386 (Native) Parent Process: launchd Date/Time: 2013-01-04 21:41:43.007 -0500 OS Version: Mac OS X 10.8.2 (12C3012) Report Version: 8 Thread 0: 0 libsystem_kernel.dylib 0x9524b7d2 mach_msg_trap + 10 1 CoreFoundation 0x9a436599 __CFRunLoopServiceMachPort + 185 2 CoreFoundation 0x9a43bf7f __CFRunLoopRun + 1247 3 CoreFoundation 0x9a43b63a CFRunLoopRunSpecific + 378 4 CoreFoundation 0x9a44b061 CFRunLoopRun + 129 5 mdworker32 0x000bcd14 6 libdyld.dylib 0x98282725 start + 0 Thread 1: 0 libsystem_kernel.dylib 0x9524e9ae kevent + 10 1 libdispatch.dylib 0x957dd7a9 _dispatch_mach_notify_source_init + 0 Thread 2: 0 libsystem_kernel.dylib 0x9524e0ee __workq_kernreturn + 10 1 libsystem_c.dylib 0x956c3e19 _pthread_wqthread + 448 2 libsystem_c.dylib 0x956abcca start_wqthread + 30 Thread 3: 0 libsystem_kernel.dylib 0x9524e0ee __workq_kernreturn + 10 1 libsystem_c.dylib 0x956c3e19 _pthread_wqthread + 448 2 libsystem_c.dylib 0x956abcca start_wqthread + 30 Thread 4: 0 libsystem_kernel.dylib 0x9524e0ee __workq_kernreturn + 10 1 libsystem_c.dylib 0x956c3e19 _pthread_wqthread + 448 2 libsystem_c.dylib 0x956abcca start_wqthread + 30 Thread 5: 0 libsystem_kernel.dylib 0x9524b7d2 mach_msg_trap + 10 1 liblaunch.dylib 0x934cae58 2 liblaunch.dylib 0x934c968e bootstrap_look_up3 + 78 3 liblaunch.dylib 0x934c9862 bootstrap_look_up2 + 77 4 IOKit 0x95792146 _pm_connect + 108 5 IOKit 0x957936b6 IOPMConnectionGetSystemCapabilities + 38 6 ATS 0x903c42ff FOLazyInitialize + 83 7 ATS 0x9040368a FOGetFontFamilyFromName + 31 8 QD 0x912aafc2 GetFNum + 17 9 HIToolbox 0x90670a80 HLTBGetFontNumber + 24 10 HIToolbox 0x906706c6 SetCustomizedFields + 853 11 HIToolbox 0x906701a0 InitIntlValue + 70 12 CarbonCore 0x97d331fc IntlIsInitIntlValueDone + 40 13 CarbonCore 0x97d32b13 SMInitIntlSpec + 1550 14 CarbonCore 0x97d321d2 LMGetIntlSpec + 69 15 CarbonCore 0x97db023f FWMapScript + 11 16 CarbonCore 0x97db021a FillParseTable + 110 17 Microsoft Office 0x00826d25 OfficeImporterPluginFactory + 493228 18 Microsoft Office 0x00826065 OfficeImporterPluginFactory + 489964 19 Microsoft Office 0x0082616e OfficeImporterPluginFactory + 490229 20 Microsoft Office 0x008d215a OfficeImporterPluginFactory + 1194721 21 Microsoft Office 0x007c3c5b OfficeImporterPluginFactory + 87522 22 Microsoft Office 0x007c05dc OfficeImporterPluginFactory + 73571 23 Microsoft Office 0x007c21ca OfficeImporterPluginFactory + 80721 24 Microsoft Office 0x007be0f6 OfficeImporterPluginFactory + 64125 25 Microsoft Office 0x007bf13c OfficeImporterPluginFactory + 68291 26 Microsoft Office 0x007ae78c OfficeImporterPluginFactory + 275 27 mdworker32 0x000ba98d 28 mdworker32 0x000b8d33 29 mdworker32 0x000b9f38 30 mdworker32 0x000be8c0 31 libsystem_c.dylib 0x956c1557 _pthread_start + 344 32 libsystem_c.dylib 0x956abcee thread_start + 34 Binary Images: 0xb3000 - 0x10bff3 mdworker32 (707.3) /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker32 0x7ad000 - 0x9c5ff2 com.microsoft.MDImporter.Office (12.3.0 - 12.3.0) /Library/Spotlight/Microsoft Office.mdimporter/Contents/MacOS/Microsoft Office 0x903c3000 - 0x90438ff7 com.apple.ApplicationServices.ATS (332) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x90602000 - 0x909e5ff3 com.apple.HIToolbox (2.0) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x91256000 - 0x912f6ff7 com.apple.QD (3.42) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x934c7000 - 0x934cefff liblaunch.dylib (442.26.2) /usr/lib/system/liblaunch.dylib 0x95239000 - 0x95253ffc libsystem_kernel.dylib (2050.20.9) /usr/lib/system/libsystem_kernel.dylib 0x956ab000 - 0x95768feb libsystem_c.dylib (825.25) /usr/lib/system/libsystem_c.dylib 0x95770000 - 0x957d8ff7 com.apple.framework.IOKit (2.0.1) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x957d9000 - 0x957ebff7 libdispatch.dylib (228.23) /usr/lib/system/libdispatch.dylib 0x97d06000 - 0x9800bff7 com.apple.CoreServices.CarbonCore (1037.3 - 1037.3) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x98280000 - 0x98282fff libdyld.dylib (210.2.3) /usr/lib/system/libdyld.dylib 0x9a404000 - 0x9a5ecff3 com.apple.CoreFoundation (6.8 - 744.12) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation When I run the above mentioned SUDO command I get /Applications/Microsoft Office 2011/Office/Add-Ins/Solver.xlam /Volumes/Not Encrypted/Backups.backupdb/clamont’s MacBook Pro/2012-12-04-080942/Macintosh HD/Users/clamont/Library/Calendars/Calendar Sync Changes/11EDF221-B949-4881-9815-2E00E96A4CA2.tmp /Volumes/Backup/Backups.backupdb/Chris’s MacBook Pro/2012-12-05-033251/Macintosh HD/Users/clamont/Library/Developer/Shared/Documentation/DocSets/com.apple.adc.documentation.AppleOSX10_8.CoreReference.docset/Contents/Resources/Documents/documentation/DeviceDrivers/Conceptual/WritingPCIDrivers/agp_device/agp_device.html Based on the "access denied" error and that I've only backed up 3GB of data within 30 minutes on a firewire port makes me think something is broken. Can anyone tell me where to go next in troubleshooting this? ----- Update: I found an article that says I should modify system.sb (located in /System/Library/Sandbox/Profiles) to include: (allow mach-lookup (global-name "com.apple.ls.boxd")) (allow mach-lookup (local-name "com.apple.ls.boxd")) Can anyone help me understand what is going on and if I'm lowering security in any way at all?

I've recently updated my Mac to Ventura 13.3. Since then, I'm experiencing major problem with opening Word files from Finder. Some files can be opened without a problem, some just can't. To be honest, I'm absolutely sick of it, because Word is my daily driver that I use for my work. Clicking on the file just opens Word, but not the file. The file can be opened though directly through Word (File>Open>...). But when I edit it and try to save it, Word asks to grant permission for the file. When I grant it, it just doesn't work anyway. I'm forced to "create new file" by using the "save as" feature. I've already tried reinstalling the Office suite (Office 2019 btw.), but it's of no use. It's clearly caused by the macOS update. I've also spent many hours searching the web and trying variuos fixes, but nothing helps. Is anyone else experiencing this kind of difficulty? Any ideas how to fix this? Or do I have to just hope that the next Word/macOS update will fix this?

I need to test some signing/notarization issues with Gatekeeper and I need a completely “new” and “fresh” system for that so that I can test the app like a completely new user. Is there an easier way for that than virtualizing a Mac on a Mac? I tried just creating a new user on my local machine, but it turns out the users share the certificates - means I can not test the issue this way since the app launches without issues because of the certificates and previous launching of the app.

I'd like to get a one year license for After Effects and start learning it but in the past I've installed the trial and it was requiring an administrator password. It then added all kind of processes at startup, a thing I'd like to avoid (and I'm in general bothered it asks for the admin rights for what it does). Is there a way to sandbox it or any other way to avoid this?

I'm using a very simple macOS script to add todo's from my Things3 in Fantastical. The reason I'm doing this is that I want more control over what is being added to the calendar event. You can add todo's from Things3 to fantastical using drag and drop, but this will add a lot of data to the event title that I want to filter out. The script I'm using is:

tell application id "com.culturedcode.ThingsMac"
	set title to name of selected to dos
	set description to notes of selected to dos
	set eventLength to " 30 minutes"
	set calender to " / Calendar"
	set input to (title & eventLength & calender) as string
end tell

tell application "Fantastical"
	parse sentence input notes description
end tell

This worked fine in the past, but with new sandbox settings(?) it looks like it's being blocked. When executing the script from Things3, I get:

Sandbox: Things3(989) deny(1) appleevent-send com.flexibits.fantastical2.mac

Is there a way to get around this? The strangest thing is that when I run the script outside Things3 it works fine. But when it is invoked from Things3 (described here ) it gets caught in the sandbox.

I am trying to run a legacy program (not mine) and trying to get it to run on an M1. I have managed to get it working contingent on this program being able to see a few files that it wants at a certain location in /opt/local/... . As long as those files are there, the program runs well (using Rosetta, which I am happy with). Unfortunately, I am also running MacPorts, and various packages that I have installed with MacPorts need to see a different version of the same files, with the same name, in the same /opt/local/... location. I have tried all manner of things to get MacPorts to install these files elsewhere, but MacPorts likes doing things in /opt/local the way it does. It would seem that what I need to do is get this program to think the thing it calls "/opt" is something other than what it is. That way, I can just put the files it needs in its virtual "/opt" folder and let MacPorts do its thing. Is there any easy way to do this? I was looking into some kind of chroot solution, except this is a GUI app with audio stuff happening and I'd have to copy all kinds of stuff into the chrooted /. Bind mounting would make that much easier but macOS doesn't have that unless I want to use something like bindfs. I guess could try something like a Docker container but as this is a GUI app with audio I'm not sure how well that'd work. I'm hoping to avoid really heavy virtualization (like running it in an entirely different OS in a VM) if at all possible. Is there some relatively simple way to do this kind of thing?