Electron broken on OS X in Apple Sandboxed apps (App Store)

[sethlu]

🍎 Not sure if this is related to the Chromium itself.
I've been trying and successfully packed and signed my app, but still there are logs in console like:

12/19/15 9:45:14.000 PM kernel[0]: Sandbox: Electron Helper(15181) deny(1) mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:14.000 PM kernel[0]: Sandbox: Electron Helper(15181) deny(1) mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:15.520 PM sandboxd[326]: ([15176]) Electron Helper(15176) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:15.574 PM sandboxd[326]: ([15176]) Electron Helper(15176) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:15.926 PM sandboxd[326]: ([15177]) Electron Helper(15177) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:15.958 PM sandboxd[326]: ([15177]) Electron Helper(15177) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:16.742 PM sandboxd[326]: ([15178]) Electron Helper(15178) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:16.773 PM sandboxd[326]: ([15178]) Electron Helper(15178) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:16.946 PM sandboxd[326]: ([15180]) Electron Helper(15180) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:16.977 PM sandboxd[326]: ([15180]) Electron Helper(15180) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175

The following extract from my entitlements doesn't seem work work. I guess that Wildcards may not be accepted; however, the * bits keep changing every time I execute the application.

<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
<array>
  <string>org.chromium.Chromium.rohitfork.*</string>
  <string>org.chromium.Chromium.iosurfacemgr.*</string>
</array>

May there be any fixes on this in future releases?
P.S.: I've found that the sandboxed app runs much slower and has some issues (like jittering graphics, the best way I could describe it). Again, I guess it is related to the denials from sandboxing.
Thanks!

[sethlu]

The Electron version was 0.36.1 MAS build.
I've tested with the 0.36.0 OS X version; sadly the same occurred.
Thanks again.

[sethlu]

On this issue, I've already tested with v0.35.x (mas builds). Though still giving the deny mach-lookup logs, the graphics issue doesn't seem to occur at all.
Also need to mention: For the mas builds (tested with v0.36.0-v.36.7 mas builds), before signing with sandbox entitlements the application works fine. The graphics issue only appears after code-signed.
The darwin builds are not affected, as they do not get signed with entitlements for sandboxing.

[alchen]

Same here. I'm reverting back to v0.35.x for now. Maybe we need to wait until the upgrade to Chrome 48 over at electron/libchromiumcontent#175 arrives.

[matthieualouis]

I have the same issue, and I'm using the very latest MAS build (0.37.1). This latest build upgrades to Chromium 49 so I thought it might resolve this, but it doesn't.

[sethlu]

Just tested some of the recent releases of Electron:

• Electron v0.36.x darwin builds all work very well.
• Electron v0.36.x mas builds work with some glitch in graphics after sandboxed (I assume with CSS transitions and animations, or for things related to GPU)?
• Electron v0.37.0 darwin/mas fails to start (fixed in v0.37.1).
• Electron v0.37.1 darwin build has some glitch like that in Electron v0.36.x mas builds (before and after code signed for distribution).
• Electron v0.37.1 mas build has some glitch like that in Electron v0.36.x mas builds; however, it fails to load after sandboxed?

[sethlu]

(cont'd) when signing with only sandbox entitlements for Electron v0.37.1 mas build:

3/14/16 5:23:51.171 PM sandboxd[395]: ([3742]) test-0.37.1 Help(3742) deny mach-lookup org.chromium.Chromium.rohitfork.3741
3/14/16 5:23:51.311 PM sandboxd[395]: ([3743]) test-0.37.1 Help(3743) deny mach-lookup org.chromium.Chromium.rohitfork.3741
3/14/16 5:23:51.461 PM sandboxd[395]: ([3744]) test-0.37.1 Help(3744) deny mach-lookup org.chromium.Chromium.rohitfork.3741
3/14/16 5:23:51.719 PM Electron[3741]: __net_helper_get_connection_block_invoke_3 could not connect to networkd
3/14/16 5:23:51.719 PM Electron[3741]: __nw_path_evaluator_start_helper_connection_block_invoke net_helper_path_evaluation_start callback failed, dumping backtrace:
        [x86_64] libnetcore-583.20.10
    0   libsystem_network.dylib             0x00007fff96104ba5 __nw_create_backtrace_string + 123
    1   libsystem_network.dylib             0x00007fff9611de68 __nw_path_evaluator_start_helper_connection_block_invoke + 22
    2   libxpc.dylib                        0x00007fff8c19691f _xpc_connection_reply_callout + 26
    3   libxpc.dylib                        0x00007fff8c1968c0 _xpc_connection_call_reply + 36
    4   libdispatch.dylib                   0x00007fff9b90b33f _dispatch_client_callout + 8
    5   libdispatch.dylib                   0x00007fff9b90ff6f _dispatch_queue_drain + 754
    6   libdispatch.dylib                   0x00007fff9b91663b _dispatch_queue_invoke + 549
    7   libdispatch.dylib                   0x00007fff9b90ec87 _dispatch_root_queue_drain + 538
    8   libdispatch.dylib                   0x00007fff9b90ea34 _dispatch_worker_thread3 + 91
    9   libsystem_pthread.dylib             0x00007fff91b6768f _pthread_wqthread + 1129
    10  libsystem_pthread.dylib             0x00007fff91b65365 start_wqthread + 13
3/14/16 5:23:51.720 PM Electron[3741]: nw_path_evaluator_start_helper_connection net_helper_path_evaluation_start failed, dumping backtrace:
        [x86_64] libnetcore-583.20.10
    0   libsystem_network.dylib             0x00007fff96104ba5 __nw_create_backtrace_string + 123
    1   libsystem_network.dylib             0x00007fff9611a228 nw_path_evaluator_start_helper_connection + 196
    2   libdispatch.dylib                   0x00007fff9b916871 _dispatch_call_block_and_release + 12
    3   libdispatch.dylib                   0x00007fff9b90b33f _dispatch_client_callout + 8
    4   libdispatch.dylib                   0x00007fff9b90ff6f _dispatch_queue_drain + 754
    5   libdispatch.dylib                   0x00007fff9b91663b _dispatch_queue_invoke + 549
    6   libdispatch.dylib                   0x00007fff9b90ec87 _dispatch_root_queue_drain + 538
    7   libdispatch.dylib                   0x00007fff9b90ea34 _dispatch_worker_thread3 + 91
    8   libsystem_pthread.dylib             0x00007fff91b6768f _pthread_wqthread + 1129
    9   libsystem_pthread.dylib             0x00007fff91b65365 start_wqthread + 13
3/14/16 5:23:51.917 PM sandboxd[395]: ([3741]) Electron(3741) deny mach-lookup com.apple.network

I thought Electron may try to load up remote resources, so then added entitlements (still with sandbox) for network client:

3/14/16 5:27:58.223 PM sandboxd[395]: ([3795]) test-0.37.1 Help(3795) deny mach-lookup org.chromium.Chromium.rohitfork.3794
3/14/16 5:27:58.378 PM sandboxd[395]: ([3796]) test-0.37.1 Help(3796) deny mach-lookup org.chromium.Chromium.rohitfork.3794
3/14/16 5:27:58.523 PM sandboxd[395]: ([3797]) test-0.37.1 Help(3797) deny mach-lookup org.chromium.Chromium.rohitfork.3794

Interesting, the logs about networking disappeared. However, the app still doesn't load properly with something blank as attached.

Looks a bit different from #3771.

[hachi8833]

Same issue on 0.37.1.

Looks like the issue comes from the recent CEF builds:
http://www.magpcss.org/ceforum/viewtopic.php?f=6&t=13469

FYI: prepared the two Electron-MAS binaries to reproduce the issue.
https://drive.google.com/folderview?id=0B8jpVsBA-4FrOTllTlZGOU5JeFU&usp=sharing

Electron_v0.35.6-mas.app can be launched while Electron_v0.37.2-mas.app does not work. The only difference between them is MAS version.

FYI2: FYI https://github.com/electron-userland/electron-osx-sign/wiki/2.-Electron-Compatibility

[sethlu]

Just tested; the same from Electron v0.37.1 appears in v0.37.2.

[herrmannplatz]

Can confirm this for 0.37.2

[sethlu]

Seems that the launching issue in v0.37.1's been fixed in v0.37.2. However, v0.37.2 mas seems failing when sandboxed; it freezes with the window showing up.

[jarek-foksa]

Using v0.37.2 with MAS sandbox, I can create new browser windows, but the app freezes after I call browserWindow.loadURL(someURL). There are no errors printed in the console.

[fuermosi777]

v0.36.2 works perfect after signing, but after signing v0.37.2, the app keeps showing "Not responding" and no window showed up.

[luin]

I got the same issue as @fuermosi777. The signed app (v0.37.2) kept not responding while it worked perfect with v0.35.4.

Related logs here: https://gist.github.com/luin/33074d4f340aba0cc000

[tosslab-jay]

Hi, I'm a product manager at JANDI, a business messaging platform from South Korea, which is being used by dozens of thousands active users everyday. We're trying to shift to Electron for our web app but this particular issue is a major road block for us for releasing to MAS. I really wish this issue can be solved in a near future so that we can add my product to the list of Electron-used services. Always appreciating the hard work of the crew. Thanks.

[sethlu]

Just tested; the same from Electron v0.37.1 appears in v0.37.2.

Hey, just some updates with my testing with v0.37.3:

Before sandboxing/codesigning:

• darwin build works, with some slight graphics issues.
• mas build the same as above.

After sandboxing/codesigning:

• darwin build has some graphics issue drawing the elements when animating, as far as I've tested.
• mas build doesn't really load up the webpage, and freezes. It doesn't crash by itself, needs terminating.

---

I'm thinking about changing a title for this issue, as rohitfork and iosurfacemgr aren't the real factors causing these issues. 😕

[tyv]

same problem, looking forward for fix

[tyv]

sad thing I need API introduced at 0.36.11 and can't just use old mas build.
any workaround ideas?

[anaisbetts]

This is a super important bug for us at Slack, we'll probably have a look at this soon

[zcbenz]

For people interested in fixing this, here are some hints:

• The root cause is after sandboxing Chromium's IPC system starts to have troubles, in 0.36 GPU process is unable to start, and in 0.37 even renderer process is not able to run.
• This starts to happen from 0.36, which upgrades Chromium from 45 to 47.
• I believe this is because Chromium started to use XPC instead of raw mach messages for IPC.

Related issues in Chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=382931
https://bugs.chromium.org/p/chromium/issues/detail?id=367863

[zcbenz]

A possible solution is to force using old system by setting is_yosemite_or_later_ to false in PreExecDelegate::PreExecDelegate:
https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/mac/pre_exec_delegate.cc&sq=package:chromium&type=cs&l=37

But from the Chromium issue they switched to use XPC because from Yosemite the old implemented is not compatible with the OS and crash happens.

[tyv]

@sethlu here is debug log https://gist.github.com/tyv/d96a11c5fde73e3966b0014311a3079f

[tyv]

the main concern is, after I sign app (in different ways without any errors), it is unable to run it.
it self closes itself.

[sethlu]

@tyv, I think your app is well signed. May you check in the Console as well to see if any error arises when your app launches? Also, I would recommend removing the temporary exception in https://github.com/ubergrape/grape-electron/blob/master/resources/osx/child.plist#L9-L10 before building another testing release.

[tyv]

@sethlu
i see only

7/26/16 13:36:49.427 sandboxd[19719]: ([20302]) Grape(20302) deny network-bind /private/var/folders/dr/cw1hncvj5vz4_p44q4nbjzgm0000gn/T/com.ChatGrape/S/SS

[tyv]

@sethlu here is full report https://gist.github.com/tyv/347298b455b560ea9721cf8ff09d0fe8

[tyv]

and one more

7/26/16 13:54:54.241 taskgated[509]: no application identifier provided, can't use provisioning profiles [pid=20987]

[tyv]

@sethlu it looks like it is same as here: electron/osx-sign/issues/59
any update on that problem?

[sethlu]

Hi @tyv, apologies for my late reply; I've been away for the past few days.

The issue electron/osx-sign#59 I think is slightly different in the way that a critical problem lies on the video en/decoder. (However, I don't know how @jpittner got around the video en/decoder issue... Or just following the conceptual signing flow at https://github.com/sethlu/electron-distribution-guide then everything just naturally resolved.)

The app should still launch with no application identifier provided... and without significant effects as far as I have heard 😕. So far I believe with your app correctly signed, the only signage is really only deny network-bind... Let me have a check for a resolution.

[jpittner]

@the video decoder/encoder stuff went away once the package was properly signed. Right now, I've got it working with MAS build (and can use a development provisioning profile to test it) but am having some trouble getting the developer-id signed version (that is, for non-MAS distribution) to work properly!

edit - spoke too soon. That was with prior version (1.2.x) with 1.3.1 I'm now running into problems getting the MAS build to load up on my development machine.

[sethlu]

@tyv I've managed to investigate a bit more over the past few days... Apple sandbox does not allow network-bind outside sandboxed containers but I am not sure what actually caused your app to have such behavior. Have you tried to create sockets in your code?

---

@jpittner Thanks for the info! I will have a look at the latest MAS builds.

[kof]

@sethlu by sockets you also include websocket?

[tyv]

@sethlu

Have you tried to create sockets in your code?

all this app does is change location.href to the https://... where is web app is and this app yes, opens websocket connection.

[sethlu]

@kof About web socket, from the text network-bind I think it does not matter much as long as it does not touch critical areas about binding essentially I guess?

Network-bind
Syntax: Actions: Filters: Modifiers:
(action network-bind [filter] [modifier]) allow deny
network path file-mode
send-signal no-log
Definition:
Control access to socket bind(). It has no support for IP filtering, it must be localhost or * (check network filter for more information).
Applies to:
bind, unp_bind
Example(s):
(deny network-bind (local ip "*:7890"))
$ sandbox-exec -f ls2 nc -l 7890
nc: Operation not permitted
Log output:
Sep 2 21:08:41 macbox sandboxd[45438]: nc(45437) deny network-bind 0.0.0.0:7890

Ref: https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf

[kof]

so maybe it is the web sockets from non-localhost domain?

[sethlu]

@tyv Have you tried to add com.apple.security.network.client in the app(/parent) entitlements file? Sorry I'm not sure if it may work for that I have not encountered similar cases.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>Y8DPE6DGC7.com.ChatGrape</string>
  </dict>
</plist>

[tyv]

I'll try

[tyv]

I am able to run empty app after sign.
Will try to find what cause problem and will report back.

[tyv]

okay, I found what kills app when it is signed
http://electron.atom.io/docs/all/#appmakesingleinstancecallback
shouldQuit === true in this example from old official doc:

const shouldQuit = app.makeSingleInstance(() => {
  const {mainWindow} = state
  // Someone tried to run a second instance, we should focus our window
  if (mainWindow) showMainWindow()
  return true
})

if (shouldQuit) quit()

[tyv]

@sethlu it is same with new snippet from the doc

[sethlu]

@tyv does you app work now?

[tyv]

I removed that code and yes, but yet didn't have time to check whats wrong with that method
why it is always returns true when app is signed

On Aug 7, 2016, at 12:06, Zhuo Lu notifications@github.com wrote:

@tyv does you app work now?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[sethlu]

@tyv A couple of places I think where this issue occurs:

1. electron/atom/browser/api/atom_api_app.cc

   Lines 426 to 431 in 9116939

   	switch (process_singleton_->NotifyOtherProcessOrCreate()) {
   	case ProcessSingleton::NotifyResult::LOCK_ERROR:
   	case ProcessSingleton::NotifyResult::PROFILE_IN_USE:
   	case ProcessSingleton::NotifyResult::PROCESS_NOTIFIED:
   	process_singleton_.reset();
   	return true;

2. electron/chromium_src/chrome/browser/process_singleton_posix.cc

   Lines 881 to 902 in 99ec841

   	ProcessSingleton::NotifyOtherProcessWithTimeoutOrCreate(
   	const base::CommandLine& command_line,
   	int retry_attempts,
   	const base::TimeDelta& timeout) {
   	NotifyResult result = NotifyOtherProcessWithTimeout(
   	command_line, retry_attempts, timeout, true);
   	if (result != PROCESS_NONE)
   	return result;
   	if (Create())
   	return PROCESS_NONE;
   	// If the Create() failed, try again to notify. (It could be that another
   	// instance was starting at the same time and managed to grab the lock before
   	// we did.)
   	// This time, we don't want to kill anything if we aren't successful, since we
   	// aren't going to try to take over the lock ourselves.
   	result = NotifyOtherProcessWithTimeout(
   	command_line, retry_attempts, timeout, false);
   	if (result != PROCESS_NONE)
   	return result;
   	return LOCK_ERROR;
   	}

3. electron/chromium_src/chrome/browser/process_singleton_posix.cc

   Lines 740 to 754 in 99ec841

   	ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessWithTimeout(
   	const base::CommandLine& cmd_line,
   	int retry_attempts,
   	const base::TimeDelta& timeout,
   	bool kill_unresponsive) {
   	DCHECK_GE(retry_attempts, 0);
   	DCHECK_GE(timeout.InMicroseconds(), 0);
   	base::TimeDelta sleep_interval = timeout / retry_attempts;
   	ScopedSocket socket;
   	for (int retries = 0; retries <= retry_attempts; ++retries) {
   	// Try to connect to the socket.
   	if (ConnectSocket(&socket, socket_path_, cookie_path_))
   	break;

Seems that Electron does open a socket and send out a message checking process singleton... I'm not yet sure how to avoid having the network binding be addressed in sandbox though.

[tyv]

okay, i see, so if this isn't fixable, probably comment in guide is a good idea.

[tyv]

or default value should be false, and still comment near the method doc, would be nice

[anaisbetts]

Why would this not be fixable? It's our code - can you file a separate bug?

[tyv]

@paulcbetts here you go ^^^

[patricksebastien]

Hi,
Not fix at all, even with a simple HelloWorld. Anyone have an idea of what needs to be done to sumbit my app to Mac Store (the build is working nicely when not signing the app).

electron-packager . "MyApp" --platform=mas --arch=x64 --overwrite --version=1.4.4 --app-bundle-id="com.mycie.myapp" --app-version="1.0.0" --build-version="666"

electron-osx-sign "MyApp.app" --entitlements="mas.default.entitlements" --entitlements-inherit="mas.inherit.default.entitlements"

electron-osx-flat "MyApp"

mas.default.entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>XXXXXXXXXXX.com.mycie.myapp</string>
  </dict>
</plist>

mas.inherit.default.entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

electron-osx-sign:warn No `platform` passed in arguments, checking Electron platform... +0ms
  electron-osx-sign:warn No `identity` passed in arguments, discovering identities... +3ms
  electron-osx-sign Signing application... +1s
  electron-osx-sign > application         MyApp-mas-x64/MyApp.app +0ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        ../mas.default.entitlements +0ms
  electron-osx-sign > child-entitlements  ../mas.inherit.default.entitlements +0ms
  electron-osx-sign > additional-binaries  +1ms
  electron-osx-sign > identity            3rd Party Mac Developer Application: BAYARD PRESSE (VE4JH2R5J4) +0ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/MyApp Helper EH.app/Contents/MacOS/MyApp Helper EH +117ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/MyApp Helper EH.app +130ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/MyApp Helper NP.app/Contents/MacOS/MyApp Helper NP +120ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/MyApp Helper NP.app +119ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/MyApp Helper.app/Contents/MacOS/MyApp Helper +121ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/MyApp Helper.app +119ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +122ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1s
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +152ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Frameworks/Electron Framework.framework +318ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/MacOS/MyApp +1s
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app/Contents/Resources/app/PepperFlashPlayer.plugin/Contents/MacOS/PepperFlashPlayer +599ms
  electron-osx-sign Signing... MyApp-mas-x64/MyApp.app +410ms
  electron-osx-sign Verifying sign... +612ms
  electron-osx-sign Verifying entitlements... +278ms
Application signed: MyApp-mas-x64/MyApp.app

[urgn-zz]

I'm facing this issue, what is the solution?
When
com.apple.security.app-sandbox is in my plist - my app gets whitescreen.