Not receiving any UDP data on a socket when App Sandbox is on in Cocoa app

Question

I have a cocoa app written in Swift 3.0, which is using framework written using C++/Boost to receive UDP data on socket. But when the App Sandbox Capability is switched on in cocoa app i am not receiving any data from the socket, which i am also using to send data to the server first. When App Sandbox is switched off everything is working as expected. Entitlements com.apple.security.network.client and om.apple.security.network.server are set to YES.

Is there anything i can do to make it working with App Sandbox switched on (which is mandatory for apps in Mac App Store)?

Answer 1

It's possible to use the following entitlements to allow UDP/TCP socket connections:

com.apple.security.network.client
com.apple.security.network.server

According to Apple's "Elevating Privileges Safely" section in the documentation, opening raw sockets, or port numbers below 1024 (UDP/TCP) require elevated privileges. Elevating privileges is apparently not permitted at all in Sandboxed Apps.

Circumstances Requiring Elevated Privileges

Regardless of whether a user is logged in as an administrator, a program might have to obtain administrative or root privileges in order to accomplish a task. Examples of tasks that require elevated privileges include:

* manipulating file permissions, ownership
* creating, reading, updating, or deleting system and user files
* opening privileged ports (those with port numbers less than 1024) for TCP and UDP connections
* opening raw sockets
* managing processes
* reading the contents of virtual memory
* changing system settings
* loading kernel extensions

If you have to perform a task that requires elevated privileges, you must be aware of the fact that running with elevated privileges means that if there are any security vulnerabilities in your program, an attacker can obtain elevated privileges as well, and would then be able to perform any of the operations listed above.

Note: Elevating privileges is not allowed in applications submitted to the Mac App Store (and is not possible in iOS).

Answer 2

I was able to make it work with both com.apple.security.network.client and com.apple.security.network.server enabled and i am using much higher then 1024 ports. We had actually problems with firewalls and another end backend. So to sum it up it is possible to open socket and receive UDP data on cocoa sandboxed app, but you need to have com.apple.security.network.server enabled.