Hacker News new | ask | show | jobs
by mrpippy 2153 days ago
> you will not have meaningful kernel debugging

Given that kext development is still supported (although highly discouraged), won’t they have to support the same level of kernel debugging as usual?

> On macOS there are apps that are “grandfathered in” to not require the sandbox on the App Store

Can you name any of these apps? Apple’s own apps don’t have to be sandboxed (like Xcode or macOS installers), but I don’t know of anything else that gets an exception. Some apps like Office get special “holes” out of the sandbox (in the form of additional SBPL), but fundamentally they’re still sandboxed.
1 comments
saagarjha 2153 days ago
> Given that kext development is still supported (although highly discouraged), won’t they have to support the same level of kernel debugging as usual?

They just need to support loading kernel extensions. As watchOS has shown, developers will figure out a way to get their thing working on your device even if your make debugging extremely painful. (Apple's current silicon prevents debugging entirely because the kernel is prevented from being patched in hardware.)

> Can you name any of these apps?

Sure. If your app's bundle ID matches one of

  com.aspyr.civ6.appstore
  com.aspyr.civ6.appstore.Civ6MetalExe
  com.aspyr.civ6.appstore.Civ6Exe
  com.tencent.WeWorkMac
  com.tencent.WeWork-Helper
  com.igeekinc.DriveGenius3LEJ
  com.igeekinc.DriveGenius3LEJ.DriveGenius
  com.igeekinc.DriveGenius3LEJ.dgdefrag
  com.igeekinc.DriveGenius3LEJ.dgse
  com.igeekinc.DriveGenius3LEJ.dgprobe
  com.prosofteng.DGLEAgent
  com.prosofteng.DriveGeniusLE
  com.prosofteng.DriveGenius.Locum
  com.prosofteng.DriveGenius.Duplicate
  com.prosofteng.DriveGenius.Benchtest
  com.prosofteng.DriveGenius.FSTools
  com.prosofteng.DriveGenius.Scan
  com.prosofteng.DriveGenius.Probe
  com.prosofteng.DriveGenius.SecureErase
  com.prosofteng.DriveGenius.Defrag
dyld interposing is enabled for your app even if it comes from the App Store, opening the door for subverting the mechanism for applying the sandbox.
link
Wowfunhappy 2152 days ago
Huh, I wonder why those got exceptions. You said they were "Grandfathered in", but Civ 6 at least is recent.
link
saagarjha 2152 days ago
They're two separate groups. Group one, the grandfathered one, is "legitimate" software that was simply published to the store prior to the mandatory sandboxing requirement–those can still get updates and remain unsandboxed. The second group is the list that I posted here, that have special status in the dynamic linker (can interpose functions) and through that can (probably don't, but "can" on a technical level by exploiting flaws in how Apple does sandboxing) bypass the sandbox.
link