Disable sandboxing for macOS apps and tests in CI #149618
Conversation
github-actions
bot
added
tool
| disabledSandboxEntitlementFile.createSync(recursive: true); | ||
| disabledSandboxEntitlementFile.writeAsStringSync( | ||
| originalEntitlementFileContents.replaceAll( | ||
| RegExp(r'<key>com\.apple\.security\.app-sandbox<\/key>[\S\s]*?<true\/>'), |
There was a problem hiding this comment.
You could plutil instead, if that's more robust than the regex. This works too, though.
There was a problem hiding this comment.
I tried plutil, seems like to doesn't like it when keys contain periods, always errors when inserting or replacing with Value NO not valid for key path com.apple.security.app-sandbox. Also tried value false, and other keys, which is why I think it's specific to keys with periods.
| try { | ||
| Timer? timer; | ||
| if (this is MacOSDevice) { | ||
| final bool usingCI = globals.platform.environment['LUCI_CI'] == 'True'; |
There was a problem hiding this comment.
Maybe PersistentToolState.isRunningOnBot since this could happen in any headless environment?
There was a problem hiding this comment.
That would also change the behavior for everyone running CI, not just us, so we'd be sneakily turning off the sandbox under their nose. I bet they are also having this issue, but I'm not sure about doing it without warning them?
Do the devicelab tests have LUCI_CI set?
There was a problem hiding this comment.
That would also change the behavior for everyone running CI, not just us, so we'd be sneakily turning off the sandbox under their nose. I bet they are also having this issue, but I'm not sure about doing it without warning them?
How about we use PersistentToolState.isRunningOnBot and update the warning to be more informative and actionable and then when we actually override it in build_macos.dart, we use LUCI_CI? That way we're not changing it for everyone, but we're still helping them figure it out.
Do the devicelab tests have
LUCI_CIset?
Yes, it's set for devicelab_drone, flutter_drone, packages (and other recipes)
https://flutter.googlesource.com/recipes/+/refs/heads/main/recipe_modules/repo_util/api.py#437
| /// access to the app. To workaround this in CI, we create and use a entitlements | ||
| /// file with sandboxing disabled. See | ||
| /// https://developer.apple.com/documentation/security/app_sandbox/accessing_files_from_the_macos_app_sandbox. | ||
| File? _createDisabledSandboxEntitlementFile( |
There was a problem hiding this comment.
Instead of actually doing this in the tool, can we set FLUTTER_XCODE_CODE_SIGN_ENTITLEMENTS to the altered file in the test runner?
There was a problem hiding this comment.
I'm not quite sure what you mean. Do you mean create the altered file in the test_runner (whether that's devicelab or integration tests, etc) and then pass it in to the tool?
I think that'd be pretty difficult, because we call into the tool is many different ways so I wouldn't be confident that I got them all. For example, here's just a few example I found:
We also call into the tool from other repos (like packages)
There was a problem hiding this comment.
I think that'd be pretty difficult, because we call into the tool is many different ways so I wouldn't be confident that I got them all. For example, here's just a few example I found:
Hmm, I guess I was thinking about devicelab.
Logic like this:
flutter/dev/devicelab/lib/framework/utils.dart
Lines 475 to 479 in 4cad9fd
But for the environment like here:
But I wasn't thinking of the integration.shard...
Bleeeeh I hate putting CI stuff in the tool.
There was a problem hiding this comment.
I agree it's not ideal, but I think the alternative would be to add logic everywhere we use flutter run, flutter test, flutter drive on macOS apps across our entire CI and repos. Also perhaps if customer testing had macOS integration tests, that could pose a problem (not that we currently have any that do, just another use case to consider).
There was a problem hiding this comment.
Since you're already working on this, we should consider the non-Google CI macOS test case. I suspect maybe some of the reports in #118469 are actually this issue though at the end some of the reporters narrowed it down to OpenGL. Though anyone who saw it working on ARM but not Intel wouldn't have been hitting this...
Could we re-use your --ci flag to trigger this behavior, and print a warning like "Detected macOS app running in CI, turning off sandboxing."?
There was a problem hiding this comment.
However, if that's infeasible, this approach LGTM
There was a problem hiding this comment.
Sure, I updated to use either --ci or LUCI_CI. Also, updated message to tell users they can use --ci to get Flutter to attempt to disable sandboxing
| 'The Dart VM Service was not discovered after $defaultTimeout ' | ||
| 'minutes. Ensure sandboxing is disabled by checking the set ' | ||
| 'CODE_SIGN_ENTITLEMENTS.'); |
There was a problem hiding this comment.
I like that the warning is in the tool, though, to give a hint to anyone else hitting this in CI.
|
FYI tests seem to be failing due to networking issues right now, I'll give it some time before I rereun them |
vashworth
added
the
autosubmit
[Sandboxing was recently disabled for macOS CI tests](flutter/flutter#149618). This caused `getApplicationDocumentsDirectory` tests in path_provider to fail because it changes the path. With sandboxing enabled, the path is `~/Library/Containers/dev.flutter.plugins.pathProviderExample/Data/Documents`. With sandboxing disabled, the path is `~/Documents`, which requires additional permissions to access. To workaround, skip verifying a file can be created/deleted and simply validate a path is returned. Fixes flutter/flutter#149713.
flutter/flutter@c246ecd...27e0656 2024-06-05 98614782+auto-submit[bot]@users.noreply.github.com Reverts "TreeSliver & associated classes (#147171)" (flutter/flutter#149754) 2024-06-05 [email protected] Feature: Add AnimatedList with separators (flutter/flutter#144899) 2024-06-05 [email protected] make output of flutter run web tests verbose (flutter/flutter#149694) 2024-06-05 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Request focus if `SemanticsAction.focus` is sent to a focusable widget (#142942)" (flutter/flutter#149741) 2024-06-05 [email protected] Roll Flutter Engine from e88469090fed to 11a32d43e3f6 (2 revisions) (flutter/flutter#149699) 2024-06-05 [email protected] Request focus if `SemanticsAction.focus` is sent to a focusable widget (flutter/flutter#142942) 2024-06-04 [email protected] Roll Flutter Engine from 3dd40156afb6 to e88469090fed (2 revisions) (flutter/flutter#149695) 2024-06-04 [email protected] TreeSliver & associated classes (flutter/flutter#147171) 2024-06-04 [email protected] Roll Flutter Engine from fe00f023666c to 3dd40156afb6 (3 revisions) (flutter/flutter#149692) 2024-06-04 49699333+dependabot[bot]@users.noreply.github.com Bump github/codeql-action from 3.25.7 to 3.25.8 (flutter/flutter#149691) 2024-06-04 [email protected] Prepares semantics_update_test for upcoming heading level changes (flutter/flutter#149671) 2024-06-04 [email protected] Identify and re-throw our dependency checking errors in `flutter.groovy` (flutter/flutter#149609) 2024-06-04 [email protected] Scrollbar thumb drag gestures now produce one start and one end scroll notification (flutter/flutter#146654) 2024-06-04 [email protected] Disable sandboxing for macOS apps and tests in CI (flutter/flutter#149618) 2024-06-04 [email protected] Roll Flutter Engine from e211c43f3dc1 to fe00f023666c (3 revisions) (flutter/flutter#149680) 2024-06-04 [email protected] Allow `find.byTooltip` to use a RegEx (flutter/flutter#149348) 2024-06-04 [email protected] Roll Flutter Engine from a6aa5d826649 to e211c43f3dc1 (8 revisions) (flutter/flutter#149658) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC [email protected],[email protected],[email protected] on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
vashworth
added
the
cp: beta
|
Failed to create CP due to merge conflicts. |
macOS 14 added new requirements that un-codesigned sandbox apps must be granted access when changed. Waiting for this UI caused macOS tests to fail on macOS 14 because the test runner forced codesigning off. Additionally, adding codesigning is not sufficient, since it must still be approved before codesigning is enough to pass the check. As a workaround, this PR disables sandboxing for macOS apps/tests in CI.  https://developer.apple.com/documentation/updates/security#June-2023) > App Sandbox now associates your macOS app with its sandbox container using its code signature. The operating system asks the person using your app to grant permission if it tries to access a sandbox container associated with a different app. For more information, see [Accessing files from the macOS App Sandbox](https://developer.apple.com/documentation/security/app_sandbox/accessing_files_from_the_macos_app_sandbox). And that link explains why this is happening on a macOS 14 update: > In macOS 14 and later, the operating system uses your app�s code signature to associate it with its sandbox container. If your app tries to access the sandbox container owned by another app, the system asks the person using your app whether to grant access. If the person denies access and your app is already running, then it can�t read or write the files in the other app�s sandbox container. If the person denies access while your app is launching and trying to enter the other app�s sandbox container, your app fails to launch. > > The operating system also tracks the association between an app�s code signing identity and its sandbox container for helper tools, including launch agents. If a person denies permission for a launch agent to enter its sandbox container and the app fails to start, launchd starts the launch agent again and the operating system re-requests access. Fixes flutter#149268. Fixes framework part of flutter#149264. Might fix packages issue: flutter#149329. Verified framework tests: https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20plugin_test_macos/9/overview https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20run_debug_test_macos/2/overview https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20tool_integration_tests_4_4/2/overview https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20integration_ui_test_test_macos/3/overview https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20flavors_test_macos/3/overview https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_benchmark%20complex_layout_scroll_perf_macos__timeline_summary/6/overview
macOS 14 requires sandboxing to be disabled in CI (see flutter/flutter#149618 for details). This is handled via the tool in flutter/flutter#149618, but that commit has yet to land in stable. To allow packages stable tests to run on macOS 14, disable sandboxing directly for macOS example apps. Verified tests pass on macOS 14: https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_arm64%20macos_platform_tests%20stable%20-%20packages/6/infra https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_arm64%20custom_package_tests%20stable/3/overview
macOS 14 requires sandboxing to be disabled in CI (see flutter/flutter#149618 for details). This is handled via the tool in flutter/flutter#149618, but that commit has yet to land in stable. To allow packages stable tests to run on macOS 14, disable sandboxing directly for macOS example apps. Verified tests pass on macOS 14: https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_arm64%20macos_platform_tests%20stable%20-%20packages/6/infra https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_arm64%20custom_package_tests%20stable/3/overview
macOS 14 requires sandboxing to be disabled in CI (see flutter/flutter#149618 for details). This is handled via the tool in flutter/flutter#149618, but that commit has yet to land in stable. To allow packages stable tests to run on macOS 14, disable sandboxing directly for macOS example apps. Verified tests pass on macOS 14: https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_arm64%20macos_platform_tests%20stable%20-%20packages/6/infra https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_arm64%20custom_package_tests%20stable/3/overview
3 participants
macOS 14 added new requirements that un-codesigned sandbox apps must be granted access when changed. Waiting for this UI caused macOS tests to fail on macOS 14 because the test runner forced codesigning off. Additionally, adding codesigning is not sufficient, since it must still be approved before codesigning is enough to pass the check. As a workaround, this PR disables sandboxing for macOS apps/tests in CI.
https://developer.apple.com/documentation/updates/security#June-2023)
And that link explains why this is happening on a macOS 14 update:
Fixes #149268.
Fixes framework part of #149264.
Might fix packages issue: #149329.
Verified framework tests:
https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20plugin_test_macos/9/overview
https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20run_debug_test_macos/2/overview
https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20tool_integration_tests_4_4/2/overview
https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20integration_ui_test_test_macos/3/overview
https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac%20flavors_test_macos/3/overview
https://ci.chromium.org/ui/p/flutter/builders/staging.shadow/Mac_benchmark%20complex_layout_scroll_perf_macos__timeline_summary/6/overview
Pre-launch Checklist
///).If you need help, consider asking for advice on the #hackers-new channel on Discord.