diff --git a/Sources/Blessed/BlessError.swift b/Sources/Blessed/BlessError.swift old mode 100644 new mode 100755 index 5b5517b..507d86a --- a/Sources/Blessed/BlessError.swift +++ b/Sources/Blessed/BlessError.swift @@ -38,7 +38,8 @@ public struct BlessError: Error { toolAssessor.infoPropertyListAuthorizedClients(type: .bundled), // 7 & 8 - bundled toolAssessor.infoPropertyListAuthorizedClients(type: .installed), // 7 & 8 - bundled toolAssessor.infoPropertyListBundleVersion(), // 9 - appAssessor.infoPropertyList(bundledHelperToolLocation: toolAssessor.bundledLocation, label: label) // 10 + appAssessor.infoPropertyList(bundledHelperToolLocation: toolAssessor.bundledLocation, label: label), // 10 + appAssessor.isNotSandboxed(), // 11 ] } } @@ -528,4 +529,20 @@ fileprivate struct AppAssessor { """) } } + + // 11 + func isNotSandboxed() -> Assessment { + if ProcessInfo.processInfo.isSandboxed { + // XPC services are usually found in a path like ".../MyApp.app/Contents/XPCServices/Bar.xpc/Contents/MacOS/MyService" + let isXPCService = Bundle.main.executableURL?.deletingLastPathComponent().path.hasSuffix(".xpc/Contents/MacOS") ?? false + let programType = isXPCService ? "XPC service" : "App" + + return .notSatisfied(explanation: """ + This \(programType) is sandboxed, which will cause SMJobBless() to always get denied. + Helper tools can only be blessed from a non-sandboxed \(programType). + """) + } + + return .satisfied + } } diff --git a/Sources/Blessed/ProcessInfo+Sandbox.swift b/Sources/Blessed/ProcessInfo+Sandbox.swift index c86d778..7972653 100644 --- a/Sources/Blessed/ProcessInfo+Sandbox.swift +++ b/Sources/Blessed/ProcessInfo+Sandbox.swift @@ -28,7 +28,7 @@ extension ProcessInfo { return false } - guard CFGetTypeID(entitlement) == CFBooleanGetTypeID(), let boolValue = (entitlement as? Bool) else { + guard let boolValue = entitlement as? Bool else { // The entitlement value must be a boolean value. If it's not, then it's presumbly not sandboxed. return false }