Sandbox Support

[vade]

Currently, our reliance on NSDistributedNotifications for Server Announce, Server Retirement, SurfaceID exposure, etc, limits Mac App Store capability due to the fact that NSUserInfo dictionaries cannot be populated to Applications running in a sandboxed environment.

This limits Syphon Framework to only be included in non Mac App Store binaries. That is sad.

[bangnoise]

The problem isn't limited to NSDistributedNotifications for service discovery - also CFMessage is disallowed and currently used for client setup and per-frame messaging.

We would welcome any work on this. Any pull request would ideally be accompanied with comparison of throughput and delay for any chosen alternatives.

[SerialForBreakfast]

Started a codebounty. https://www.bountysource.com/issues/24028084-sandbox-support

[triplef]

FYI we investigated using temporary exceptions to enable Syphon in our sandboxed app and found the following:

• There seems to be no temporary exception to allow sending distributed notifications with userInfo dictionaries. However, sending distributed notifications without userInfo dictionaries is supported with sandboxing, so if there’s a way to remove use of userInfo dictionaries in Syphon that part would be solved.
• Using CFMessagePort can be enabled with the "com.apple.security.temporary-exception.mach-lookup.global-name" temporary exception, however that requires specifying the port name(s) that communication should be allowed with. In the case of Syphon, the port name seems to be dynamic (a UUID). Maybe the solution would be to have some sort of global Syphon deamon process with a defined port name that apps can connect to?

[pnostudiodeveloper]

I finally got Syphon working in my music visualization app, but it looks like I won't be able to publish to the App Store because of Sandboxing.... a real shame.

Any chance there might be a fix to make Syphon compatible with macOS sandboxing in the near future?

[bangnoise]

Not in the near future, no, unless a third party contributes it. A rough outline of upcoming Syphon work is listed here.

[bangnoise]

Noting that #47 is related to the inevitable IPC changes when this is done.

[vade]

https://stackoverflow.com/questions/8637206/is-possible-to-use-mac-os-x-xpc-like-ipc-to-exchange-messages-between-processes

Seems like an interesting solution - specifically the XPC anonymous connection vending?

[bangnoise]

Yes I've used this technique elsewhere but haven't tried it (or passing IOSurfaces) within the Sandbox - thanks for the note here. It would require applications add an entitlement to lookup our named service doing the brokering, which should be fine.