Sandbox: ExternalQuickLoo(1253) deny(1) network-outbound*:42222

Question

bamwu OP

Created Mar ’22

Replies 3

Boosts 0

Views 1.1k

Participants 2

I've got an app with a quicklook generator bundled within it.

The app opens port 42222 for localhost queries.

The quicklook generator fails to connect to the socket.

The log shows these 2 sandbox errors:

Sandbox: 1 duplicate report for java deny(1) file-read-data /private/etc/hosts

Sandbox: ExternalQuickLoo(1253) deny(1) network-outbound*:42222

... which is weird because the app isn't sandboxed:

% codesign -d --entitlements :- /Applications/Test.app                                                         
Executable=/Applications/Test.app/Contents/MacOS/Test

The same code functions correctly when executed from a separate app running on the same machine (rather than from the generator).

Any idea why the quicklook generator isn't able to connect to a localhost socket?

... or why sandbox rules are being applied to a non-sandbox app?

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’22

This is an old-style Quick Look generator, right? That is, a bundle with the .qlgenerator extension?

If so, the approach you’re taking won’t work. A QL generator is a bundle, which means it has no control over its own sandbox. Rather, the QL generator inherits the sandbox from the process that loads it. The system process that loads QL generators has a very tight sandbox, one that doesn’t allow for outgoing network connections.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Mar ’22

So changing to .appex could help in this regard?

I don’t know. An appex has an app-like structure that, in general, supports independent sandbox configuration. What I’m not 100% sure about is whether QL imposes additional constraints on its appexes that would prevent this.

Honestly, making network requests in a QL generator seems like a bad idea to me. Such things are meant to be self contained.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

DTS Engineer OP

Apple

Mar ’22

the app actually renders the image, which is a compicated, proprietary format/process that they want to stay inside the licensed app itself

This isn’t how Quick Look generators were designed to work and you will run into serious problems if you go down this path. To start, there’s no guarantee that the main app is actually running when the QL generator runs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0