"sandbox_apply_container: Operation not permitted" error with xcodebuild and Swift package dependencies #59
Replies: 6 comments 8 replies
-
Here's my workaround: I should also add that I suspect an upgrade from Xcode 11.x to Xcode 12 triggered the regression, though I haven't reverted back to Xcode 11.x to check that. It could also have been a macOS or homebrew upgrade. |
Beta Was this translation helpful? Give feedback.
-
I think this should really be a Apple bugreport. There is nothing homebrew can do short of disabling sandboxing, which isn't gonna happen. |
Beta Was this translation helpful? Give feedback.
-
Creating a shim for |
Beta Was this translation helpful? Give feedback.
-
@p00ya , @carlocab , I just ran into this issue trying to install https://github.com/samuelmeuli/tmignore via brew. What's the next step for this issue? Is there someone from the Homebrew team that has a contact in Apple to get some guidance from? Or is a shim the preferred option? And, if so, @p00ya do you have any availability to look into that - noting that this issue was raised over 6 months ago so you might have moved onto other things? |
Beta Was this translation helpful? Give feedback.
-
Okay I know I’m bumping an old thread, but it’s become relevant again. So for Xcode projects that use SPM there is the option For Xcode projects that are using plugins (e.g. macros) though, it’s a bit more complicated. I did not find an option to So now my question is: would it be possible to force the |
Beta Was this translation helpful? Give feedback.
-
Yes, probably. We already have a shim for Feel free to open a PR. |
Beta Was this translation helpful? Give feedback.
-
I noticed a recent regression with a formula I maintain (p00ya/tap/vivtool). I get an error from
brew install
like:In the system console, there'll be an entry like:
These errors indicate that a process that is already sandboxed is calling
sandbox-exec
. The macOS sandbox doesn't nest, so this leads to an error. This only happens when building in homebrew's build environment; running the samexcodebuild
command from a clean checkout of the repo has no error.To figure out what was calling
sandbox-exec
, I built the formula with homebrew's debug mode, created my ownsandbox-exec
binary (purely for the purpose of debugging this one issue - obviously it's a bad idea in general) and traced through the process chain that leads to this:So what's happening is that as part of building a swift package dependency,
xcodebuild
will compile and run a manifest file from that package, but will wrap the call insandbox-exec
so it doesn't do anything nefarious as part of building. Unfortunately, when building with homebrew (and only then), there is already a sandbox at a higher level, so this fails. I'm not exactly sure where the initial sandbox is getting created - I can still repro by repeating thexcodebuild
command from the shell I get withinstall -d
, but the shell itself doesn't seem restricted.I think maintainers of formulae for actual Swift packages have been dealing with a similar issue by passing
--disable-sandbox
to swift, e.g. this SwiftLint commit, and indeed many formulae inhomebrew-core
. But no such option exists forxcodebuild
.I think fixing this behaviour properly requires some intervention from Apple (I suspect something in the homebrew environment or shims is causing xcodebuild to run sandboxed, in which case it shouldn't be calling subprocesses with
sandbox-exec
). Other potential Apple-dependent solutions would be to make their sandbox nest (restrictions get tighter), or to have a flag onxcodebuild
similar to swift's--disable-sandbox
.In the meantime, the most pragmatic solution I can find that I can perform as a formula maintainer is to do the same thing I did for debugging: create a
sandbox-exec
replacement and put it on the PATH during the homebrew build. I do worry that this is fragile (I'm surprised Apple didn't hardcode/usr/bin/sandbox-exec
in the first place), but at least that means users can install the package.Has anyone else encountered this / have a better solution?
Beta Was this translation helpful? Give feedback.
All reactions