Quick Look plug-ins can't use sandbox when code signed

Originator:craig.hockenberry
Number:rdar://15444624 Date Originated:
Status:Closed Resolved:
Product:OS X Product Version:OS X 10.9 / 13A603
Classification:Serious Bug Reproducible:Always
 
Summary:
It's pretty clear that the Security folks want all code that runs in the system to be signed.

<http://furbo.org/2013/10/17/code-signing-and-mavericks/>

Quick Look plug-ins can run as either signed or unsigned code. But when they run as signed code, the sandbox restrictions severely limit the functionality of the plug-in.

For example, a plug-in that wants to extract data from an archive has nowhere to write temporary data (there is no sandbox container for it to write in, nor can it access the filesystem outside of the sandbox provided by the Quick Look daemon.)

The result is that all Quick Look plug-ins that are code signed can only read data. It is impossible to write a plug-in that unpacks a ZIP file, examines the file contents, and displays formatted results.

Steps to Reproduce:
1. Download this project: https://github.com/chockenberry/Provisioning
2. Update the Project Build Settings so that "Code Signing Identity" is "Developer ID: *"
3. Build and install the Provisioning.qlgenerator
4. Use the plug-in to examine an iOS app archive that is attached (Twitterrific-Beta.ipa). Note that an .ipa file is just a renamed ZIP archive.

Expected Results:
The provisioning information contained in the .ipa file should be displayed.

Actual Results:
The console log shows:

Nov 11 19:03:57 Myrtle kernel[0]: Sandbox: unzip(56818) deny file-write-create /private/tmp/com.iconfactory.Provisioning
Nov 11 19:03:57 Myrtle.local com.apple.quicklook.satellite[56817]: No file data for file:///Users/craig/Desktop/Provision%20Testing/Twitterrific-Beta.ipa



Version:
OS X 10.9 / 

Notes:
Note that moving the unzip folder to NSCachesDirectory doesn't help either. Since the plug-in doesn't have a sandbox, it tries to write into ~/Library/Caches and fails just as badly as when /tmp is used.

Configuration:


Attachments:
'Twitterrific-Beta.ipa' was successfully uploaded.

Comments

Closed with Comment

The Radar was closed with the following comment:

You can write to NSTemporaryDirectory, which is unique for each QuickLook plugin.

By craig.hockenberry at Dec. 4, 2013, 11:05 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!