[solved] QtWebEngineProcess not working in sandboxed application

nando76 · wrote on 15 Dec 2014, 20:50

Hi,

Qt 5.4.0 final release

my app starts in sandbox, but QtWebEngineProcess is not allowed to start / crashes due to sandbox restrictions .
Maybe i must set entitlements explicitly for QtWebEngineProcess... but how?
I created a entitlement file for:

@<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
@

But how do i have to apply it to the QtWebEngineProcess inside my bundle?

Here is the error log:

@Process: QtWebEngineProcess [45564]
Path: /development/*/MyProcess.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Identifier: QtWebEngineProcess
Version: ???
Code Type: X86-64 (Native)
Parent Process: MyProcess [45560]
Responsible: MyProcess [45560]
User ID: 501

Date/Time: 2014-12-15 21:44:38.757 +0100
OS Version: Mac OS X 10.10.1 (14B25)
Report Version: 11
Anonymous UUID: 08FE5E3D-C136-084C-7579-A2F503845AE3

Sleep/Wake UUID: 4357B39D-B4A3-46CE-A395-EA4ECBE89802

Time Awake Since Boot: 30000 seconds
Time Since Wake: 14000 seconds

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000

Application Specific Information:
Could not set sandbox profile data: Operation not permitted (1)

Application Specific Signatures:
SYSCALL_SET_PROFILE

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_secinit.dylib 0x00007fff9a0e84b7 _libsecinit_setup_app_sandbox + 805
1 libsystem_secinit.dylib 0x00007fff9a0e7b21 _libsecinit_initialize_once + 20
2 libdispatch.dylib 0x00007fff969d9c13 _dispatch_client_callout + 8
3 libdispatch.dylib 0x00007fff969d9b26 dispatch_once_f + 117
4 libSystem.B.dylib 0x00007fff93698aaa libSystem_initializer + 131
@

Greetings
Nando

Seamus Boyle · wrote on 17 Dec 2014, 03:01

@
codesign -s $YOUR_CERT -i "com.yourcompany.QtWebEngineProcess" --entitlements /path/to/inherit.entitlements /path/to/QtWebEngineProcess.app
@

nando76 · wrote on 17 Dec 2014, 21:08

Hi Seamus,
thanks for the tip. i will try it and the report.

nando76 · wrote on 17 Dec 2014, 21:29

i have still the same error:

APPCERT = "3rd Party Mac Developer Application: <my company name...>"
BUNDLEID = "my app bundle id"

@
QT_WEBENGINE_PROCESS_ENTITLEMENTS = $$PWD/QtWebEngineProcess.entitlements

codesign.commands += codesign -s '$${APPCERT}' -i "com.yourcompany.QtWebEngineProcess" --entitlements "$${QT_WEBENGINE_PROCESS_ENTITLEMENTS}" $${TARGET}.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app;
codesign.commands += codesign -s '$${APPCERT}' -i "org.qt-project.Qt.QtWebEngineCore" $${TARGET}.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/Current;
codesign.commands += codesign -s '$${APPCERT}' -i "org.qt-project.Qt.QtWebEngineCore" $${TARGET}.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Libraries/ffmpegsumo.so;
@

content of QT_WEBENGINE_PROCESS_ENTITLEMENTS = $$PWD/QtWebEngineProcess.entitlements:

@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
@

This is the console output:

@17/12/14 23:16:25,816 sandboxd[465]: ([58974]) QtWebEngineProce(58974) deny forbidden-sandbox-reinit
17/12/14 23:16:25,823 com.apple.xpc.launchd[1]: (com.apple.ReportCrash[58975]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash
@

Seamus Boyle · wrote on 18 Dec 2014, 00:07

The bundle id in my example, "com.yourcompany.QtWebEngineProcess", is not a place-holder, use it verbatim.

Seamus Boyle · wrote on 18 Dec 2014, 20:32

@<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>@

Relevant lines from my post build script
@export L_TARGET=$BUILT_PRODUCTS_DIR/$FULL_PRODUCT_NAME
export L_TARGET_FRAMEWORKS=$L_TARGET/Contents/Frameworks
mkdir -p $L_TARGET_FRAMEWORKS
codesign --force -s "$APPCERT" -i "org.qt-project.QtWebEngine" $L_TARGET_FRAMEWORKS/QtWebEngine.framework/
codesign --force -s "$APPCERT" -i "com.yourcompany.QtWebEngineProcess"
--entitlements ~/working/sandbox-inherit.entitlements
$L_TARGET_FRAMEWORKS/QtWebEngineCore.framework/Versions/Current/Helpers/QtWebEngineProcess.app
codesign --force -s "$APPCERT" -i "org.qt-project.Qt.QtWebEngineCore" $L_TARGET_FRAMEWORKS/QtWebEngineCore.framework/
codesign --force -s "$APPCERT" -i "org.qt-project.QtWebEngineWidgets" $L_TARGET_FRAMEWORKS/QtWebEngineWidgets.framework/@

nando76 · wrote on 18 Dec 2014, 21:39

Thank you very much Seamus!
Now it is working :)

elsamuko · wrote on 16 Jan 2020, 08:41

For those who read this in 2020:

I needed to add the entitlement

    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>

to the entitlements of the webengine process. This is needed for the V8 engine to make memory executable.
The entitlement com.apple.security.app-sandbox isn't necessary, but doesn't harm.