invoking /usr/bin/php in sandboxed apps generates violations
| Originator: | stefan.vogt | ||
| Number: | rdar://10436809 | Date Originated: | 12-Nov-2011 |
| Status: | Open | Resolved: | |
| Product: | Mac OS X SDK | Product Version: | 10.7 |
| Classification: | Other bug | Reproducible: | Yes |
Summary: When invoking /usr/bin/php via NSTask in sandboxed apps, I get sandboxd violations. While launching tools in /usr/bin seems generally supported, some tools in this directory that rely on additional files get denies. Steps to Reproduce: Create an app with sandboxing enabled. Add a a simple .php script (e.g. helloworld.php) to the apps resources, invoke the .php script via NSTask. Expected Results: I expected to not get violations for files used by invoking world-readable tools in /usr/bin. Actual Results: When running a .php script the log shows following violations: "sandboxd php deny file-write-create /private/var/db/net-snmp" and "sandboxd php deny file-read-data /private/etc/protocols". Regression: It occurs regardless what you're doing. Temporary entitlements might be a workaround but definitely no solution. Notes: Scripts run fine btw... PHP CLI gets denies but this does not mean that the script won't properly execute.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!