Official Apple demo code for validating App Store receipts results in SandboxViolation
| Originator: | kastansn | ||
| Number: | rdar://31280899 | Date Originated: | |
| Status: | Open | Resolved: | |
| Product: | macOS | Product Version: | 10.12.4 |
| Classification: | Other | Reproducible: | Always |
Area:
App Sandbox
Summary:
When using the official Apple demo code for getting the GUID of a Mac which can be found at https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html and is critical for implementing Mac App Store receipt validation, the code results in a "deny nvram-get BSD Name" sandbox violation.
The offending function that triggers the sandbox violation seems to be io_service_get_matching_services_bin() in IOKit.
Steps to Reproduce:
1. Open Console.app and filter for the string "SandboxViolation"
2. Open the attached demo project with Xcode
3. Adjust the code signing parameters of the project's target to those of a valid team / mac developer account of yours
4. Examine the copy_mac_address() function in main.m - it is an unaltered copy straight out of Apple's documentation
5. Build and run
Expected Results:
There should be no offending entries in the console log.
Actual Results:
The following error is logged and marked yellow in the console log.
error 22:05:35.664754 +0200 sandboxd com.apple.sandbox.reporting SandboxViolation: Demo(5545) deny nvram-get BSD Name
Violation: deny nvram-get BSD Name
Process: Demo [5545]
Path: /Users/redacted/Library/Developer/Xcode/DerivedData/Demo-hgmrugolpnwblmglupkfiklymlvs/Build/Products/Debug/Demo.app/Contents/MacOS/Demo
Load Address: 0x100000000
Identifier: com.redacted.Demo
Version: 1 (1.0)
Code Type: x86_64 (Native)
Parent Process: debugserver [5546]
User ID: 501
Date/Time: 2017-03-27 22:05:35.648 GMT+2
OS Version: Mac OS X 10.12.4 (16E195)
Report Version: 8
Thread 0 (id: 125403):
0 libsystem_kernel.dylib 0x00007fffacad134a mach_msg_trap + 10
1 IOKit 0x00007fff98c8a985 io_service_get_matching_services_bin + 188
2 IOKit 0x00007fff98c0d1ea IOServiceGetMatchingServices + 208
3 Demo 0x0000000100000d37 copy_mac_address + 151 (main.m:36)
4 Demo 0x0000000100000e4b main + 27 (main.m:65)
5 libdyld.dylib 0x00007fffac9aa235 start + 1
6 Demo 0x0000000000000003
Binary Images:
0x100000000 - 0x100000ffb com.redacted.Demo (1.0 - 1) <30fa2d22-4ec4-3695-bba1-0e4952515618> /Users/redacted/Library/Developer/Xcode/DerivedData/Demo-hgmrugolpnwblmglupkfiklymlvs/Build/Products/Debug/Demo.app/Contents/MacOS/Demo
0x7fff98c08000 - 0x7fff98c9dfff com.apple.framework.IOKit (2.0.2) <ba7dc917-35a9-3d1b-bbec-adf4495a166d> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x7fffac9a5000 - 0x7fffac9aaffb libdyld.dylib (433.5) <129d3b44-fb21-3750-9a68-48b5c3dc632b> /usr/lib/system/libdyld.dylib
0x7fffacabf000 - 0x7fffacae1ff7 libsystem_kernel.dylib (3789.51.2) <fc51d7b0-8292-3f6a-9231-64340b237eb7> /usr/lib/system/libsystem_kernel.dylib
MetaData: {"build":"Mac OS X 10.12.4 (16E195)","action":"deny","target":["BSD Name"],"hardware":"Mac","platform_binary":"no","profile":"unknown","process":"Demo","op":"nvram-get"}
Version:
macOS 10.12.4 (16E195)
Notes:
The problem seems to have been introduced with macOS 10.12.4. but I have not checked older point releases of 10.12.
It does not appear on 10.11.x
Configuration:
Attachments:
'Demo.zip' was successfully uploaded.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!