Sandbox entitlement leads to crash at launch

[develorer]

Steps to reproduce : 1) Take an electron app built for macOS, distributed outside of the app store, that does not include the sandbox entitlement. 2) Using codesign on the terminal command line, add the sandbox entitlement to the main app, the inherit entitlement (and the sandbox entitlement) to the children and ElectronTeamID to the main app. Sign all apps as appropriate.

Alternatively (this other procedure leads to the exact same issue): 1) Take an electron app built for macOS, distributed outside of the app store, that does not include the sandbox entitlement. 2) using electron-builder configuration, change platform=darwin to platform=mas, add the sandbox entitlement to the main app, the inherit entitlement (and the sandbox entitlement) to the children and ElectronTeamID to the main app. Sign all apps as appropriate with electron-builder.

Outcome : App crashes on launch with the following message:

Sandbox: QuickSample(2132) deny(1) network-bind /private/var/folders/s2/j1z79krx53qgms8l31r94_zc0000gn/T/com.electron.quicksample/S/SingletonSocket

Expected outcome : App launches appropriately

Interpretation : It seems the entitlements work, but the electron app creates a UNIX domain socket (I assume for IPC between main app and helper) with a file descriptor in /var/folders. This directory is outside the app's container (it's a sandboxed app at that point), which macOS does not allow.

Possible resolution : How can I force electron to start sockets inside the app's container (/Library/Containers/com.electron.quicksample/) ?

[vasiliicuhar]

@develorer try electron/electron/issues/15958

[develorer]

Yes, that works. Ultimately, it is about removing the request to the lock, which is not supported inside a sandbox.