Allow running Mac Catalyst builds in App Sandbox

Author: simonrozsival

src/mono/sample/iOS/Makefile

@@ -5,6 +5,7 @@ USE_LLVM=true
 AOT?=false
 TARGET?=iOSSimulator
 DEPLOY_AND_RUN?=true
+APP_SANDBOX?=false
 
 #If DIAGNOSTIC_PORTS is enabled, RUNTIME_COMPONENTS must also be enabled.
 #If RUNTIME_COMPONENTS is enabled, DIAGNOSTIC_PORTS is optional.
@@ -58,7 +59,8 @@ run-catalyst:
 	/p:TargetArchitecture=$(MONO_ARCH) \
 	'/p:DeployAndRun="$(DEPLOY_AND_RUN)"' \
 	/p:UseLLVM=False \
-	/p:ForceAOT=True
+	/p:ForceAOT=True \
+	/p:EnableAppSandbox=$(APP_SANDBOX)
 
 run-sim-interp: clean appbuilder
 	$(DOTNET) publish \

src/mono/sample/iOS/Program.csproj

@@ -18,6 +18,7 @@
 
   <PropertyGroup Condition="'$(TargetOS)' == 'MacCatalyst'">
     <DevTeamProvisioning Condition="'$(TargetOS)' == 'MacCatalyst' and '$(DevTeamProvisioning)' == ''">adhoc</DevTeamProvisioning>
+    <EnableAppSandbox Condition="'$(EnableAppSandbox)' == ''">false</EnableAppSandbox>
   </PropertyGroup>
 
   <Import Project="$(RepoTasksDir)AotCompilerTask\MonoAOTCompiler.props" />
@@ -81,6 +82,7 @@
         ForceAOT="$(RunAOTCompilation)"
         ForceInterpreter="$(MonoForceInterpreter)"
         RuntimeComponents="$(RuntimeComponents)"
+        EnableAppSandbox="$(EnableAppSandbox)"
         DiagnosticPorts="$(DiagnosticPorts)"
         AppDir="$(MSBuildThisFileDirectory)$(PublishDir)">
         <Output TaskParameter="AppBundlePath" PropertyName="AppBundlePath" />

src/tasks/AppleAppBuilder/AppleAppBuilder.cs

@@ -158,6 +158,11 @@ public string TargetOS
     /// </summary>
     public bool EnableRuntimeLogging { get; set; }
 
+    /// <summary>
+    /// Enables App Sandbox for Mac Catalyst apps
+    /// </summary>
+    public bool EnableAppSandbox { get; set; }
+
     public override bool Execute()
     {
         bool isDevice = (TargetOS == TargetNames.iOS || TargetOS == TargetNames.tvOS);
@@ -229,6 +234,11 @@ public override bool Execute()
                 throw new ArgumentException("Using DiagnosticPorts require diagnostics_tracing runtime component.");
         }
 
+        if (EnableAppSandbox && TargetOS != TargetNames.MacCatalyst)
+        {
+            throw new InvalidOperationException("App Sandbox can only be enabled for Mac Catalyst builds.");
+        }
+
         var generator = new Xcode(Log, TargetOS, Arch);
 
         if (GenerateXcodeProject)
@@ -252,7 +262,7 @@ public override bool Execute()
         else if (GenerateCMakeProject)
         {
              generator.GenerateCMake(ProjectName, MainLibraryFileName, assemblerFiles, assemblerFilesToLink,
-                AppDir, binDir, MonoRuntimeHeaders, !isDevice, UseConsoleUITemplate, ForceAOT, ForceInterpreter, InvariantGlobalization, Optimized, EnableRuntimeLogging, DiagnosticPorts, RuntimeComponents, NativeMainSource);
+                AppDir, binDir, MonoRuntimeHeaders, !isDevice, UseConsoleUITemplate, ForceAOT, ForceInterpreter, InvariantGlobalization, Optimized, EnableRuntimeLogging, EnableAppSandbox, DiagnosticPorts, RuntimeComponents, NativeMainSource);
         }
 
         return true;

src/tasks/AppleAppBuilder/Xcode.cs

@@ -201,6 +201,7 @@ public string GenerateCMake(
         bool invariantGlobalization,
         bool optimized,
         bool enableRuntimeLogging,
+        bool enableAppSandbox,
         string? diagnosticPorts,
         string? runtimeComponents=null,
         string? nativeMainSource = null)
@@ -236,13 +237,23 @@ public string GenerateCMake(
         var entitlements = new List<KeyValuePair<string, string>>();
 
         bool hardenedRuntime = false;
-        if (Target == TargetNames.MacCatalyst && !forceAOT) {
-            hardenedRuntime = true;
+        if (Target == TargetNames.MacCatalyst)
+        {
+            if (!forceAOT)
+            {
+                hardenedRuntime = true;
+
+                /* for mmmap MAP_JIT */
+                entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.allow-jit", "<true/>"));
+                /* for loading unsigned dylibs like libicu from outside the bundle or libSystem.Native.dylib from inside */
+                entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.disable-library-validation", "<true/>"));
+            }
 
-            /* for mmmap MAP_JIT */
-            entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.allow-jit", "<true/>"));
-            /* for loading unsigned dylibs like libicu from outside the bundle or libSystem.Native.dylib from inside */
-            entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.disable-library-validation", "<true/>"));
+            if (enableAppSandbox)
+            {
+                hardenedRuntime = true;
+                entitlements.Add (KeyValuePair.Create ("com.apple.security.app-sandbox", "<true/>"));
+            }
         }
 
         string cmakeLists = Utils.GetEmbeddedResource("CMakeLists.txt.template")