supervacuus
commented
3 months ago Thanks! Yes, we know these options (both in the entitlements and the crashpad_handler parameters) and think they could be a solution to bypass the current restrictions. The current crashpad client interface even exposes the required handler parameters on macOS but leaves establishing the preconditions for such a start-up to the client application.
This is a more significant change across macOS backend implementation. We must also check where it breaks our current life-cycle assumptions and whether we must maintain the current approach in parallel or switch entirely. The next question is how this will affect client invocation from the handler when we close the gap toward crash hooks on macOS.
Multiple users are interested in support for sandboxed environments (not only on macOS), but it is currently a lower-priority target for Sentry. Let's use this issue to collect interest from others.
past-due
Dear admin,I am a cross-platform developer working on both Windows and macOS. According to Sentry's official documentation, we have noticed that Sentry does not support macOS's sandbox mode. We understand that this mode is particularly challenging due to the limitations imposed by the sandbox's permission isolation, which makes it impossible to connect to crashpad_handle via file descriptors. However, based on our research, we still believe that by configuring the entitlement file, this issue can be overcome.
I would like to discuss the feasibility of this with you. Through reading the official documentation of crashpad_handle, I found that there is a second method in the documentation besides using file descriptors—mach-service=SERVICE. I reviewed the relevant code implementation in crashpad_handle, and found that its underlying implementation is done through mach_port_insert_member. This means that, first, a service name needs to be provided using --mach-service. Secondly, when setting the entitlement of the main process, the service name that was just set needs to be included through com.apple.security.temporary-exception.mach-lookup.global-name and com.apple.security.temporary-exception.mach-register.global-name. Additionally, the com.apple.security.inherit property in the entitlements file of Crashpad_handle should be set to true, so that the child process inherits the two special permissions set in the parent process when it is launched. This should allow --mach-services to work properly.
In the content mentioned above, we set the com.apple.security.temporary-exception.mach-lookup.global-name and com.apple.security.temporary-exception.mach-register.global-name entitlements in the parent process (the application integrating Sentry SDK) because crashpad_handle as a child process only needs to set com.apple.security.inherit. This way, crashpad_handle also inherits the com.apple.security.temporary-exception.mach-lookup.global-name and com.apple.security.temporary-exception.mach-register.global-name entitlements. Originally, these permissions should be set separately, with the register entitlement set in the main process and the lookup entitlement in the crashpad_handle process. However, doing so would require two separate reviews by Apple to explain the reasoning behind each.
In conclusion, this approach seems theoretically feasible, and I hope to discuss with you whether this method could enable Sentry to support macOS sandbox mode. Thank you.
about documents in here:
https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AppSandboxTemporaryExceptionEntitlements.html
https://chromium.googlesource.com/crashpad/crashpad/+/main/handler/crashpad_handler.md