macOS cannot run sandbox-exec inside a process that's already being sandboxed #67
Description
Hi, thanks for the project. Ran into this with real use case: git push/pull via ssh
git remote set-url origin [email protected]:<org>/<repo>.git
git pull
Already up to date.
srt "git pull"
Running: git pull
sandbox-exec: sandbox_apply: Operation not permitted
Connection closed by UNKNOWN port 65535
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.Simplest repro:
srt "srt echo hi"
Running: srt echo hi
Running: echo hi
sandbox-exec: sandbox_apply: Operation not permittedLogs:
sudo log stream --style compact --info --debug --predicate '(((processID == 0) AND (senderImagePath CONTAINS "/Sandbox")) OR (subsystem == "com.apple.sandbox.reporting"))'
...
(Sandbox) Sandbox: sandbox-exec(27256) deny(1) forbidden-sandbox-reinitSome googling:
https://docs.google.com/document/d/108sr6gBxqdrnzVPsb_4_JbDyW1V4-DRQUC4R8YvM40M/view?tab=t.0#heading=h.dmjzqu3d5wju
https://bazel.build/docs/sandboxing#sandboxing-strategies
Possible nasty workaround for things that call sandbox-exec:
p00ya/homebrew-tap@6a07348