search

aonez / Keka

The macOS & iOS file archiver
https://www.keka.io
4.6k stars 232 forks source link

Keka not launching on Big Sur from Synthetic.conf remapped directory #837

Open jil24 opened 3 years ago

jil24 commented 3 years ago

I usually keep my non-system programs in a directory located here /Shared Files/Utilities

Prior to Catalina this was its real path but due to new security measures in Catalina/Big Sur the /Shared Files directory is actually located here /System/Volumes/Data/Shared Files and is remapped to the root of the volume using /etc/synthetic.conf (discussion here): https://derflounder.wordpress.com/2020/01/18/creating-root-level-directories-and-symbolic-links-on-macos-catalina/

Keka stopped working but I found that it works fine when the app bundle is placed in these directories: /Applications ~/Applications ~/Desktop

but not /Shared Files/* I also tried manually launching from the "correct path" /System/Volumes/Data/Shared Files with no difference.

The program seems to hang with no windows or menu bar menus produced.

here what appears to be the relevant console output:


error   11:07:58.583755-0400    sandboxd    Sandbox: Keka(35918) deny(1) file-issue-extension target:/Shared Files/Utilities/Keka.app class:com.apple.app-sandbox.read
Violation:       deny(1) file-issue-extension target:/Shared Files/Utilities/Keka.app class:com.apple.app-sandbox.read
Process:         Keka [35918]
Path:            /System/Volumes/Data/Shared Files/Utilities/Keka.app/Contents/MacOS/Keka
Load Address:    0x106fcb000
Identifier:      com.aone.keka
Version:         4541 (1.2.13)
Code Type:       x86_64 (Native)
Parent Process:  launchd [1]
Responsible:     /System/Volumes/Data/Shared Files/Utilities/Keka.app/Contents/MacOS/Keka
User ID:         503

Date/Time:       2021-04-17 11:07:58.573 EDT
OS Version:      macOS 11.1 (20C69)
Report Version:  8

MetaData: {"build":"macOS 11.1 (20C69)","responsible-process-uid":503,"platform_binary":"no","primary-filter":"path","file-flags":0,"container":"\/Users\/yashka\/Library\/Containers\/com.aone.keka\/Data","profile-in-collection":false,"flags":5,"pid":35918,"signing-id":"com.aone.keka","platform-policy":false,"target":"\/Shared Files\/Utilities\/Keka.app","apple-internal":false,"file-mode":511,"errno":1,"vnode-type":"DIRECTORY","extension-class":"com.apple.app-sandbox.read","profile-flags":0,"hardware":"Mac","operation":"file-issue-extension","primary-filter-value":"\/Shared Files\/Utilities\/Keka.app","responsible-process-path":"\/System\/Volumes\/Data\/Shared Files\/Utilities\/Keka.app\/Contents\/MacOS\/Keka","action":"deny","rdev":0,"platform-binary":false,"summary":"deny(1) file-issue-extension target:\/Shared Files\/Utilities\/Keka.app class:com.apple.app-sandbox.read","process-path":"\/Shared Files\/Utilities\/Keka.app\/Contents\/MacOS\/Keka","hardlinked":false,"matched-extension":false,"uid":503,"mount-flags":76583424,"responsible-process-user-uuid":"1708BC0E-644A-4C78-A658-46320EF17422","matched-user-intent-extension":false,"path":"\/Shared Files\/Utilities\/Keka.app","normalized_target":["Shared Files","Utilities","Keka.app"],"team-id":"4FG648TM2A","process":"Keka"}

Thread 0 (id: 69905753):
0   libsystem_kernel.dylib          0x00007fff2033c376 __mac_syscall + 10
1   LaunchServices                  0x00007fff20884bd0 _LSApplicationCheckIn + 1840
2   HIServices                      0x00007fff256d791c _RegisterApplication + 6665
3   HIServices                      0x00007fff256d5e28 GetCurrentProcess + 23
4   HIToolbox                       0x00007fff286bcabf MenuBarInstance::GetAggregateUIMode(unsigned int*, unsigned int*) + 63
5   HIToolbox                       0x00007fff286bca49 MenuBarInstance::IsVisible() + 51
6   AppKit                          0x00007fff22c4ba7b _NSInitializeAppContext + 35
7   AppKit                          0x00007fff22c4977a -[NSApplication init] + 417
8   AppKit                          0x00007fff22c493b9 +[NSApplication sharedApplication] + 120
9   AppKit                          0x00007fff22c47c5b NSApplicationMain + 409
10  libdyld.dylib                   0x00007fff2038a621 start + 1
11  Keka                            0x0000000000000001

Thread 1 (id: 69905774):
0   libsystem_kernel.dylib          0x00007fff2033c53e __workq_kernreturn + 10
1   libsystem_pthread.dylib         0x00007fff2036b467 start_wqthread + 15

Thread 2 (id: 69905778):
0   libsystem_kernel.dylib          0x00007fff2033c53e __workq_kernreturn + 10
1   libsystem_pthread.dylib         0x00007fff2036b467 start_wqthread + 15

Thread 3 (id: 69905779):

Binary Images:
       0x106fcb000 -        0x10702efff  com.aone.keka (1.2.13 - 4541) <73a74552-3c64-3607-9214-9817cbabb20f> /System/Volumes/Data/Shared Files/Utilities/Keka.app/Contents/MacOS/Keka
    0x7fff2033a000 -     0x7fff20368fff  libsystem_kernel.dylib (7195.60.75) <4bd61365-29af-3234-8002-d989d295fdbb> /usr/lib/system/libsystem_kernel.dylib
    0x7fff20369000 -     0x7fff20374fff  libsystem_pthread.dylib (454.60.1) <8dd3a0bc-2c92-31e3-bbab-ce923a4342e4> /usr/lib/system/libsystem_pthread.dylib
    0x7fff20375000 -     0x7fff203afff7  libdyld.dylib (832.7.1) <2f8a14f5-7cb8-3edd-85ea-7fa960bbc04e> /usr/lib/system/libdyld.dylib
    0x7fff20882000 -     0x7fff20ab1e0f  com.apple.LaunchServices (1122.11 - 1122.11) <caeec254-68ae-39b5-8452-ec3e1ee8577b> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
    0x7fff22c44000 -     0x7fff239a6c6f  com.apple.AppKit (6.9 - 2022.20.119) <4cb42914-672d-3af0-a0a5-2209088a3da0> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
    0x7fff256d3000 -     0x7fff2572efe7  com.apple.HIServices (1.22) <9af2cdd9-8b68-3606-8c9e-1842420acda7> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
    0x7fff286b9000 -     0x7fff289b8ffd  com.apple.HIToolbox (2.1.1) <93518490-429f-3e31-8344-15d479c2f4ce> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
aonez commented 3 years ago

Any other sandboxed app works on that directory?

On Sat, 17 Apr 2021 at 17:14 Jonathan Lake @.***> wrote:

I usually keep my non-system programs in a directory located here /Shared Files/Utilities

Prior to Catalina this was its real path but due to new security measures in Catalina/Big Sur the /Shared Files directory is actually located here /System/Volumes/Data/Shared Files and is remapped to the root of the volume using /etc/synthetic.conf (discussion here):

https://derflounder.wordpress.com/2020/01/18/creating-root-level-directories-and-symbolic-links-on-macos-catalina/

Keka stopped working but I found that it works fine when the app bundle is placed in these directories: /Applications ~/Applications ~/Desktop

but not /Shared Files/* I also tried manually launching from the "correct path" /System/Volumes/Data/Shared Files with no difference.

The program seems to hang with no windows or menu bar menus produced.

here what appears to be the relevant console output:

error 11:07:58.583755-0400 sandboxd Sandbox: Keka(35918) deny(1) file-issue-extension target:/Shared Files/Utilities/Keka.app class:com.apple.app-sandbox.read Violation: deny(1) file-issue-extension target:/Shared Files/Utilities/Keka.app class:com.apple.app-sandbox.read Process: Keka [35918] Path: /System/Volumes/Data/Shared Files/Utilities/Keka.app/Contents/MacOS/Keka Load Address: 0x106fcb000 Identifier: com.aone.keka Version: 4541 (1.2.13) Code Type: x86_64 (Native) Parent Process: launchd [1] Responsible: /System/Volumes/Data/Shared Files/Utilities/Keka.app/Contents/MacOS/Keka User ID: 503

Date/Time: 2021-04-17 11:07:58.573 EDT OS Version: macOS 11.1 (20C69) Report Version: 8

MetaData: {"build":"macOS 11.1 (20C69)","responsible-process-uid":503,"platform_binary":"no","primary-filter":"path","file-flags":0,"container":"\/Users\/yashka\/Library\/Containers\/com.aone.keka\/Data","profile-in-collection":false,"flags":5,"pid":35918,"signing-id":"com.aone.keka","platform-policy":false,"target":"\/Shared Files\/Utilities\/Keka.app","apple-internal":false,"file-mode":511,"errno":1,"vnode-type":"DIRECTORY","extension-class":"com.apple.app-sandbox.read","profile-flags":0,"hardware":"Mac","operation":"file-issue-extension","primary-filter-value":"\/Shared Files\/Utilities\/Keka.app","responsible-process-path":"\/System\/Volumes\/Data\/Shared Files\/Utilities\/Keka.app\/Contents\/MacOS\/Keka","action":"deny","rdev":0,"platform-binary":false,"summary":"deny(1) file-issue-extension target:\/Shared Files\/Utilities\/Keka.app class:com.apple.app-sandbox.read","process-path":"\/Shared Files\/Utilities\/Keka.app\/Contents\/MacOS\/Keka","hardlinked":false,"matched-extension":false,"uid":503,"mount-flags":76583424,"responsible-process-user-uuid":"1708BC0E-644A-4C78-A658-46320EF17422","matched-user-intent-extension":false,"path":"\/Shared Files\/Utilities\/Keka.app","normalized_target":["Shared Files","Utilities","Keka.app"],"team-id":"4FG648TM2A","process":"Keka"}

Thread 0 (id: 69905753): 0 libsystem_kernel.dylib 0x00007fff2033c376 __mac_syscall + 10 1 LaunchServices 0x00007fff20884bd0 _LSApplicationCheckIn + 1840 2 HIServices 0x00007fff256d791c _RegisterApplication + 6665 3 HIServices 0x00007fff256d5e28 GetCurrentProcess + 23 4 HIToolbox 0x00007fff286bcabf MenuBarInstance::GetAggregateUIMode(unsigned int, unsigned int) + 63 5 HIToolbox 0x00007fff286bca49 MenuBarInstance::IsVisible() + 51 6 AppKit 0x00007fff22c4ba7b _NSInitializeAppContext + 35 7 AppKit 0x00007fff22c4977a -[NSApplication init] + 417 8 AppKit 0x00007fff22c493b9 +[NSApplication sharedApplication] + 120 9 AppKit 0x00007fff22c47c5b NSApplicationMain + 409 10 libdyld.dylib 0x00007fff2038a621 start + 1 11 Keka 0x0000000000000001

Thread 1 (id: 69905774): 0 libsystem_kernel.dylib 0x00007fff2033c53e __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff2036b467 start_wqthread + 15

Thread 2 (id: 69905778): 0 libsystem_kernel.dylib 0x00007fff2033c53e __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff2036b467 start_wqthread + 15

Thread 3 (id: 69905779):

Binary Images: 0x106fcb000 - 0x10702efff com.aone.keka (1.2.13 - 4541) <73a74552-3c64-3607-9214-9817cbabb20f> /System/Volumes/Data/Shared Files/Utilities/Keka.app/Contents/MacOS/Keka 0x7fff2033a000 - 0x7fff20368fff libsystem_kernel.dylib (7195.60.75) <4bd61365-29af-3234-8002-d989d295fdbb> /usr/lib/system/libsystem_kernel.dylib 0x7fff20369000 - 0x7fff20374fff libsystem_pthread.dylib (454.60.1) <8dd3a0bc-2c92-31e3-bbab-ce923a4342e4> /usr/lib/system/libsystem_pthread.dylib 0x7fff20375000 - 0x7fff203afff7 libdyld.dylib (832.7.1) <2f8a14f5-7cb8-3edd-85ea-7fa960bbc04e> /usr/lib/system/libdyld.dylib 0x7fff20882000 - 0x7fff20ab1e0f com.apple.LaunchServices (1122.11 - 1122.11) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x7fff22c44000 - 0x7fff239a6c6f com.apple.AppKit (6.9 - 2022.20.119) <4cb42914-672d-3af0-a0a5-2209088a3da0> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x7fff256d3000 - 0x7fff2572efe7 com.apple.HIServices (1.22) <9af2cdd9-8b68-3606-8c9e-1842420acda7> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x7fff286b9000 - 0x7fff289b8ffd com.apple.HIToolbox (2.1.1) <93518490-429f-3e31-8344-15d479c2f4ce> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/aonez/Keka/issues/837, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADVHIZEMHKGNVXNXZNYE6TTJGQVTANCNFSM43DFLBXA .

jil24 commented 3 years ago

I didnt actually have any other sandboxed apps to test, so I just downloaded and ran "fatFileFinder" from here https://github.com/Ravbug/FatFileFinderCPP/releases/tag/2.2 which appears to be sandboxed - it launches fine from the same folder.

aonez commented 3 years ago

@jil24 I had no issues launching Keka from /System/Volumes/Data/Shared Files/. Dit not created yet the symlink/synthetic.conf but since you stated:

I also tried manually launching from the "correct path" /System/Volumes/Data/Shared Files with no difference.

I suppose it will work too for me.

In your logs Keka is not able to launch for a sandbox violation. Seems like it maybe has no read permission and the entitlement com.apple.security.files.user-selected.read-write might be violating the sandbox. What read permissions does it have in your Shared files folder?

This is how it looks to me:

aone@aONe-Mini ~ % ls -la /System/Volumes/Data/Shared\ Files 
total 16
drwxr-xr-x   4 aone  wheel   128 Apr 19 08:59 .
drwxr-xr-x  27 root  wheel   864 Apr 19 08:58 ..
-rw-r--r--@  1 aone  wheel  6148 Apr 19 08:59 .DS_Store
drwxr-xr-x@  3 aone  wheel    96 Apr 15 12:31 Keka.app

For what is worth, I've created the Shared files folder using Finder (asked admin password) and copied Keka there using Finder too. No Terminal used here.

aonez commented 3 years ago

Maybe you could try to reproduce with HandBrake since it is notarized and most probably hardened, like Keka.

That "FatFileFinder" is not notarized so maybe the sandbox checks are not the same.

aonez commented 3 years ago

@jil24 had you the change to try if another notarized app runs there?

jil24 commented 3 years ago

Yeah, Handbrake fails in an identical fashion. My permissions in ls -al in that directory look identical to yours too. I tried creating a brand new non-remapped directory inside System/Volumes/Data/ as well, using Finder, and copied Keka and Handbrake there as well, and the results are the same, with the same sandbox error in the console.

So it doesn't seem to be related to Synthetic.conf.

aonez commented 3 years ago

I've replicated the issue now. So it seems this is the way to go from Big Sur. You can use /Users/Shared instead, can be accessed by any user and it hasn't this sandbox restriction.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.