{"id":909,"date":"2016-07-10T16:50:52","date_gmt":"2016-07-10T23:50:52","guid":{"rendered":"https:\/\/dreness.com\/blog\/?p=909"},"modified":"2019-12-07T17:15:57","modified_gmt":"2019-12-08T00:15:57","slug":"silence-sandbox-log-spam-or-why-is-sandbox-logging-allowed-access","status":"publish","type":"post","link":"https:\/\/dreness.com\/blog\/archives\/909","title":{"rendered":"Silence sandbox log spam (or: Why is sandbox logging ALLOWED access?!)"},"content":{"rendered":"<p>I&#8217;ve been annoyed by sandbox log verbosity since always, but recently I was pushed over the edge when playing with a tool (<a href=\"https:\/\/github.com\/hishamhm\/htop\">htop<\/a>) that calls task_for_pid a lot. It&#8217;s open source, so not <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/Security\/Conceptual\/CodeSigningGuide\/Procedures\/Procedures.html\">code signed<\/a> or <a href=\"https:\/\/opensource.apple.com\/source\/adv_cmds\/adv_cmds-163\/ps\/entitlements.plist\">entitled<\/a>. There are various ways to allow the calls to succeed (e.g. run as root, or add -p to <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/Darwin\/Reference\/ManPages\/man8\/taskgated.8.html\">taskgated<\/a>&#8216;s args and run htop\u00a0setgid procmod), however this does nothing to alleviate the log spam, because ALLOWED access is still logged &#8211; sometimes by both kernel and sandboxd. If you&#8217;re making a lot of &#8216;allowed&#8217; calls, this drives syslogd CPU usage up into the noticeable range. In fact on an otherwise idle system running htop (with -d 5), this effect results in syslogd being the busiest process on the system! Not ok. No love for the boy who cried &#8220;no wolf&#8221;.<\/p>\n<p>Here is some medicine:<\/p>\n<pre># \/etc\/asl.conf rules, placed above 'Rules for \/var\/log\/system.log'\r\n? [= Sender kernel] [= Facility kern] [N= Level 5] [Z= Message allow(0) mach-priv-task-port] ignore\r\n? [= Sender sandboxd] [= Facility com.apple.sandbox] [N= Level 5] [Z= Message allow mach-priv-task-port] ignore<\/pre>\n<p>This cuts syslogd CPU usage by about 50% in my testing. Of course I would prefer that these messages were never sent, but it&#8217;s an improvement. Note that trunk htop has mitigated this problem by <a href=\"https:\/\/github.com\/hishamhm\/htop\/issues\/449\">caching<\/a> (and not retrying) denied attempts, but there&#8217;s nothing htop can do about the spam from *allowed* attempts.<\/p>\n<p>I should mention that I&#8217;m not allergic to sandbox or\u00a0policy enforcement in general. This is more of a &#8216;living in harmony&#8217; kind of thing, and although there are serious ownership-related existential questions breaking through the surface with increasing frequency, this post isn&#8217;t about that.<\/p>\n<p>Except for the next sentence.\u00a0As a thought experiment, see if you can come up with any justification for logging\u00a0these &#8216;allow&#8217; messages that benefits the user, and that outweighs both the potential performance impact (read: battery, if you are rolling your eyes right now)\u00a0and the signal to noise ratio impact.<\/p>\n<p>I know that I&#8217;m\u00a0one thousand\u00a0years old for looking at log files in the first place (especially when the house *isn&#8217;t*\u00a0on fire), and I&#8217;m ok with that. I might even assert that a person\u00a0could build a career by curiously reading everything the system says.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been annoyed by sandbox log verbosity since always, but recently I was pushed over the edge when playing with a tool (htop) that calls task_for_pid a lot. It&#8217;s open source, so not code signed or entitled. There are various &hellip; <a href=\"https:\/\/dreness.com\/blog\/archives\/909\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,14],"tags":[],"class_list":["post-909","post","type-post","status-publish","format-standard","hentry","category-os-x","category-pro-tip"],"_links":{"self":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/comments?post=909"}],"version-history":[{"count":8,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/909\/revisions"}],"predecessor-version":[{"id":1352,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/909\/revisions\/1352"}],"wp:attachment":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/media?parent=909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/categories?post=909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/tags?post=909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}