Tuesday, April 16, 2019

Sandboxing Makes Quarantine Flags Almost Meaningless

Howard Oakley:

When quarantine xattrs start appearing on files which have only ever been stored locally since their creation, is it time to get worried?

It would appear not.

Thanks to Thomas, who drew my attention to the fact that opening any movie in the QuickTime Player app (the latest ‘X’ version, not the old QuickTime 7) results in a quarantine xattr being attached to it.

A little further exploration revealed that this isn’t the only such case: Preview attaches quarantine xattrs to several of the file types which it opens, including PDF. The high-end PDF editors PDF Expert and PDFPenPro, and Nisus Writer Pro also attach quarantine xattrs to the PDFs which they create.

Erik Schwiebert:

Yep. The OS adds the quarantine xattr to any file created by an app that has been sandboxed. I don’t know why; you’d think they would trust a sandboxed app more, not less.

Rich Siegel:

It’s pretty crazy. We’ve seen a lot of this with customers opening/editing +x files. Simply opening the file causes it to grow quarantine, and then the user can’t run it in Terminal or programmatically with NSTask. (Gatekeeper and Terminal don’t really mix.)

Howard Oakley:

The quarantine flag, an extended attribute (xattr) of type com.apple.quarantine, used to be one of the most meaningful and important of all the xattrs attached to files. It meant that item had been downloaded from the Internet. In the case of apps, it’s used to determine whether that app needs to undergo full first-run checks by Gatekeeper before being allowed free run on your Mac.


Since Apple introduced sandboxing for apps, the quarantine xattr has been used for a quite different purpose: to flag which document files have been opened by sandboxed apps.


This behaviour appears consistent across almost all apps which run in a sandbox, even if they’re not supplied by the App Store. One exception that I have found is the latest version of BBEdit: although sandboxed (and notarized), the non-App Store version doesn’t appear to attach quarantine xattrs to text files which it opens or writes, even when they are PDFs, for example.


For file types like JPEG, PNG, Movies and PDF, which are specific targets of this behaviour, the rules for attaching a quarantine flag by a sandboxed app appear to be[…]

Update (2019-08-13): Craig Hockenberry:

If you think the dialogs in Catalina are annoying, just wait until you discover that any script you edit with BBEdit or TextEdit get thrown into a quarantine and won’t execute until you use xattr at the command line.

You’re going to see a lot of “operation not permitted”.

Erik Schwiebert:

So far as I know, macOS adds the quarantine xattr to any file created by a sandboxed app. This happens to Office files, and was resolved as By Design by Apple several years ago. It isn’t new to Catalina.

Rich Siegel:

Check and see whether sandbox access is allowed (in BBEdit’s “Application” preferences). If it is not, allow it and I think that will solve this for you.

That worked for me. So apparently it doesn’t add the quarantine flags when saving into a folder that the app already has access to due to a security-scoped bookmark.

See also: Quarantine: Apps and Documents and Advances in macOS Security.

Update (2019-08-15): Craig Hockenberry:

It looks like com.apple.security.files.user-selected.executable is the secret sauce in this:

$ codesign -dvvvv --entitlements :- /System/Applications/TextEdit.app/

And it looks like it’s not generally available.

Craig Hockenberry:

The irony here, is that thanks to the com.apple.security.files.user-selected.executable entitlement, developers are better off using non-sandboxed native apps.

Apps like Visual Studio Code have an a distinct advantage with lesser security.

1 Comment RSS · Twitter

[…] Previously: Sandboxing Makes Quarantine Flags Almost Meaningless. […]

Leave a Comment