Bug report: Sandbox violation, CSSM Exceptions in com.apple.SafariServices.ExtensionHelper


#1

I just happened to look at my Console (on the Mac) today and noticed the following error messages being logged every single second:

com.apple.SafariServices.ExtensionHelper	CSSM Exception: -50 One or more parameters passed to a function were not valid.
com.apple.SafariServices.ExtensionHelper	CSSM Exception: 80 CSSM_ERRCODE_INVALID_CSP_HANDLE
com.apple.SafariServices.ExtensionHelper	CSSM Exception: -50 One or more parameters passed to a function were not valid.
com.apple.SafariServices.ExtensionHelper	CSSM Exception: 80 CSSM_ERRCODE_INVALID_CSP_HANDLE
com.apple.SafariServices.ExtensionHelper	CSSM Exception: 64 CSSM_ERRCODE_INVALID_CONTEXT_HANDLE
com.apple.SafariServices.ExtensionHelper	MacOS error: -2147416000
com.apple.SafariServices.ExtensionHelper	MacOS error: -2147416000
com.apple.SafariServices.ExtensionHelper	MacOS error: -2147416000

In addition, there were two error messages about Better.app, which only occurred once each:

sandboxd	SandboxViolation: com.apple.Safari(811) deny mach-lookup com.apple.SecurityServer

sandboxd	SandboxViolation: com.apple.Safari(811) deny ipc-posix-shm-read-data /tmp/com.apple.csseed.152

I can also provide the detailed callstack of these two errors, if that is useful. For now, I have disabled Better because I don’t want my log to fill up like that, but would love to be able to run it again soon. Thanks!


#2

Same here. Besides the above, these are messages in Console.app by either Better or with the string “better” after starting the app:

08:28:37.485264 +0100	Better               	Faulting in NSHTTPCookieStorage singleton
08:28:37.485298 +0100	Better               	Faulting in CFHTTPCookieStorage singleton
08:28:37.485308 +0100	Better               	Creating default cookie storage with default identifier
08:28:37.486284 +0100	Better               	TIC TCP Conn Start [1:0x6080001939a0]
08:28:37.508065 +0100	Better               	discovered extensions
08:28:37.508255 +0100	Better               	discovered extensions
08:28:37.508361 +0100	Better               	discovered extensions
error                	08:28:37.519550 +0100	Better	Detected missing constraints for <private>.  It cannot be placed because there are not enough constraints to fully define the size and origin. Add the missing constraints, or set translatesAutoresizingMaskIntoConstraints=YES and constraints will be generated for you. If this view is laid out manually on macOS 10.12 and later, you may choose to not call [super layout] from your override. Set a breakpoint on DETECTED_MISSING_CONSTRAINTS to debug. This error will only be logged once.
08:28:37.533242 +0100	Better               	TIC TCP Conn Event [1:0x6080001939a0]: 1 Err(0)
08:28:37.533292 +0100	Better               	TIC TCP Conn Connected [1:0x6080001939a0]: Err(0)
08:28:37.623387 +0100	Better               	ⓘ Better: creating and showing the status bar menu.
08:28:37.623450 +0100	Better               	Better: createAndShowStatusBarMenu
error                	08:28:37.910225 +0100	sandboxd	SandboxViolation: com.apple.Safari(27513) deny mach-lookup com.apple.SecurityServer
Violation:       deny mach-lookup com.apple.SecurityServer 
Process:         com.apple.Safari [27513]
Path:            /System/Library/Frameworks/SafariServices.framework/Versions/A/XPCServices/com.apple.SafariServices.ExtensionHelper.xpc/Contents/MacOS/com.apple.SafariServices.ExtensionHelper
Load Address:    0x1028be000
Identifier:      com.apple.SafariServices.ExtensionHelper
Version:         12604.3.5.1.1 (12604)
Code Type:       x86_64 (Native)
Parent Process:  launchd [1]
Responsible:     /Applications/Better.app/Contents/MacOS/Better [27512]
User ID:         501

Date/Time:       2017-11-08 08:28:37.746 GMT+1
OS Version:      Mac OS X 10.12.6 (16G29)
Report Version:  8

Thread 0 (id: 5249387):
0   libsystem_kernel.dylib        	0x00007fff8b8af34a mach_msg_trap + 10
1   libxpc.dylib                  	0x00007fff8b9d64cf xpc_pipe_routine + 232
2   libxpc.dylib                  	0x00007fff8b9d6359 _xpc_interface_routine + 164
3   libxpc.dylib                  	0x00007fff8b9d5f0c bootstrap_look_up3 + 193
4   libxpc.dylib                  	0x00007fff8b9d5e39 bootstrap_look_up2 + 45
5   Security                      	0x00007fff7c2cbee6 Security::MachPlusPlus::Bootstrap::lookup2(char const*) const + 44
6   Security                      	0x00007fff7c2ded65 Security::SecurityServer::ClientSession::findSecurityd() + 235
7   Security                      	0x00007fff7c2deab4 Security::SecurityServer::ClientSession::Global::Global() + 86
8   Security                      	0x00007fff7c2dea34 Security::ModuleNexus<Security::SecurityServer::ClientSession::Global>::make() + 28
9   Security                      	0x00007fff7c4ca79b Security::ModuleNexusCommon::do_create(void* (*)()) + 11
10  libdispatch.dylib             	0x00007fff8b7528fc _dispatch_client_callout + 8
11  libdispatch.dylib             	0x00007fff8b7528b9 dispatch_once_f + 38
12  Security                      	0x00007fff7c287984 Security::ModuleNexusCommon::create(void* (*)()) + 102
13  Security                      	0x00007fff7c2a0c3b Security::ModuleNexus<Security::SecurityServer::ClientSession::Global>::operator()() + 43
14  Security                      	0x00007fff7c2a0a0f Security::SecurityServer::ClientSession::activate() + 171
15  Security                      	0x00007fff7c2de8ae Security::MDSSession::DbOpen(char const*, cssm_net_address const*, unsigned int, Security::AccessCredentials const*, void const*, long&) + 128
16  Security                      	0x00007fff7c2de74f mds_DbOpen(long, char const*, cssm_net_address const*, unsigned int, cssm_access_credentials const*, void const*, long*) + 247
17  Security                      	0x00007fff7c28ac43 Security::MDSClient::Directory::cdsa() const + 97
18  Security                      	0x00007fff7c37e760 Security::MDSClient::Directory::dlGetFirst(cssm_query const&, cssm_db_record_attribute_data&, cssm_data*, cssm_db_unique_record*&) + 38
19  Security                      	0x00007fff7c28a6e4 Security::CssmClient::Table<Security::MDSClient::Common>::startQuery(Security::CssmQuery const&, bool) + 252
20  Security                      	0x00007fff7c28a3be Security::CssmClient::Table<Security::MDSClient::Common>::fetch(Security::CssmClient::Query const&, int) + 160
21  Security                      	0x00007fff7c289c36 MdsComponent::MdsComponent(Security::Guid const&) + 230
22  Security                      	0x00007fff7c2898be CssmManager::loadModule(Security::Guid const&, unsigned int, Security::ModuleCallback const&) + 410
23  Security                      	0x00007fff7c28967b CSSM_ModuleLoad + 73
24  Security                      	0x00007fff7c2dd8a3 SecCspHandleForAlgorithm + 147
25  Security                      	0x00007fff7c2dd7ed SecCmsUtilGetHashObjByAlgID + 35
26  Security                      	0x00007fff7c2dd6ee SecCmsDigestContextStartMultiple + 155
27  Security                      	0x00007fff7c2dd639 SecCmsSignedDataDecodeBeforeData + 33
28  Security                      	0x00007fff7c2dcbc7 nss_cms_decoder_notify + 470
29  Security                      	0x00007fff7c297ce0 SEC_ASN1DecoderUpdate + 2306
30  Security                      	0x00007fff7c2dc9aa SecCmsDecoderUpdate + 38
31  Security                      	0x00007fff7c2dc6ee CMSDecoderUpdateMessage + 81
32  Security                      	0x00007fff7c3a59db Security::CodeSigning::SecStaticCode::verifySignature() + 175
33  Security                      	0x00007fff7c3a5730 Security::CodeSigning::SecStaticCode::validateDirectory() + 92
34  Security                      	0x00007fff7c3a8ffe Security::CodeSigning::SecStaticCode::getDictionary(unsigned int, bool) + 28
35  Security                      	0x00007fff7c3a8f32 Security::CodeSigning::SecStaticCode::infoDictionary() + 64
36  Security                      	0x00007fff7c3ab360 Security::CodeSigning::SecStaticCode::signingInformation(unsigned int) + 808
37  Security                      	0x00007fff7c39e9a8 SecCodeCopySigningInformation + 63
38  SafariServices                	0x00000001045ac275 -[NSExtension(SafariServicesExtras) sf_untrustedCodeSigningDictionaryFromCodeRef:enforcingCodeSigningRequirement:skipValidityCheck:] + 317
39  SafariServices                	0x00000001045ac0fb -[NSExtension(SafariServicesExtras) sf_untrustedCodeSigningDictionaryEnforcingCodeSigningRequirement:skipValidityCheck:] + 74
40  SafariServices                	0x00000001045a9710 -[SFContentBlockerManager(SFPrivate) _contentBlockerIsEnabledForSafariExtensionHelper:inSafariWithKeychainAccount:] + 111
41  com.apple.SafariServices.ExtensionHelper	0x00000001028c1d72
42  libdispatch.dylib             	0x00007fff8b75b524 _dispatch_call_block_and_release + 12
43  libdispatch.dylib             	0x00007fff8b7528fc _dispatch_client_callout + 8
44  libdispatch.dylib             	0x00007fff8b75faac _dispatch_main_queue_callback_4CF + 925
45  CoreFoundation                	0x00007fff7603fbc9 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
46  CoreFoundation                	0x00007fff76000c0d __CFRunLoopRun + 2205
47  CoreFoundation                	0x00007fff76000114 CFRunLoopRunSpecific + 420
48  Foundation                    	0x00007fff77a13252 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277
49  Foundation                    	0x00007fff77a1312a -[NSRunLoop(NSRunLoop) run] + 76
50  libxpc.dylib                  	0x00007fff8b9e189b _xpc_objc_main + 731
51  libxpc.dylib                  	0x00007fff8b9e02e4 xpc_main + 494
52  Foundation                    	0x00007fff77a70feb +[NSXPCListener serviceListener] + 0
53  com.apple.SafariServices.ExtensionHelper	0x00000001028bf96c
54  libdyld.dylib                 	0x00007fff8b788235 start + 1
55  com.apple.SafariServices.ExtensionHelper	0x0000000000000001

Thread 1 (id: 5249426):
0   libsystem_kernel.dylib        	0x00007fff8b8b744e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8b9a107d start_wqthread + 13

Thread 2 (id: 5249427):
0   libsystem_kernel.dylib        	0x00007fff8b8b744e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8b9a107d start_wqthread + 13

Thread 3 (id: 5249428):
0   libsystem_kernel.dylib        	0x00007fff8b8b744e __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff8b9a107d start_wqthread + 13

Binary Images:
       0x1028be000 -        0x1028c5fff  com.apple.SafariServices.ExtensionHelper (12604 - 12604.3.5.1.1) <1fe69212-ca12-39d9-ae45-f47679b773f3> /System/Library/Frameworks/SafariServices.framework/Versions/A/XPCServices/com.apple.SafariServices.ExtensionHelper.xpc/Contents/MacOS/com.apple.SafariServices.ExtensionHelper
       0x1045a3000 -        0x1045b9fff  com.apple.SafariServices.framework (12604 - 12604.3.5.1.1) <4e786add-97f5-3e19-8acc-816f21c72929> /System/Library/Frameworks/SafariServices.framework/Versions/A/SafariServices
    0x7fff75f79000 -     0x7fff76412ff7  com.apple.CoreFoundation (6.9 - 1349.8) <09ed473e-5de8-307f-b55c-16f6419236d5> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    0x7fff779f1000 -     0x7fff77d97fff  com.apple.Foundation (6.9 - 1349.91) <a37cb4ec-0730-3dd6-9358-60491bf40ef2> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    0x7fff7c286000 -     0x7fff7c588ff7  com.apple.security (7.0 - 57740.60.18) <005e8c96-40b6-35e3-b58b-888a5f5957c2> /System/Library/Frameworks/Security.framework/Versions/A/Security
    0x7fff8b751000 -     0x7fff8b782fff  libdispatch.dylib (703.50.37) <6582bad6-ed27-3b30-b620-90b1c5a4ae3c> /usr/lib/system/libdispatch.dylib
    0x7fff8b783000 -     0x7fff8b788ffb  libdyld.dylib (433.5) <9b2ac56d-107c-3541-a127-9094a751f2c9> /usr/lib/system/libdyld.dylib
    0x7fff8b89d000 -     0x7fff8b8bfff7  libsystem_kernel.dylib (3789.70.16) <34b1f16c-bc9c-3c5f-9045-0cae91cb5914> /usr/lib/system/libsystem_kernel.dylib
    0x7fff8b99e000 -     0x7fff8b9a8ff7  libsystem_pthread.dylib (218.60.3) <b8fb5e20-3295-39e2-b5eb-b464d1d4b104> /usr/lib/system/libsystem_pthread.dylib
    0x7fff8b9d1000 -     0x7fff8b9faff7  libxpc.dylib (972.70.1) <bf896df0-d8e9-31a8-a4b3-01120bfeee52> /usr/lib/system/libxpc.dylib

MetaData: {"build":"Mac OS X 10.12.6 (16G29)","action":"deny","target":["com.apple.SecurityServer"],"hardware":"Mac","platform_binary":"yes","profile":"unknown","process":"com.apple.Safari","op":"mach-lookup"}
08:28:37.918613 +0100	Better	0x618000279f40 opened /var/folders/yb/_0t9qp3519sdz6kw14c82fn80000gn/C/better.fyi.mac//mds/mdsObject.db: 4636 bytes
08:28:37.918864 +0100	Better	0x61800027a980 opened /var/folders/yb/_0t9qp3519sdz6kw14c82fn80000gn/C/better.fyi.mac//mds/mdsDirectory.db: 50744 bytes
08:28:37.919884 +0100	Better	0x61800027a980 opened /var/folders/yb/_0t9qp3519sdz6kw14c82fn80000gn/C/better.fyi.mac//mds/mdsDirectory.db: 50744 bytes

#3

Sorry I seemed to miss this when it was first posted! This should not be happening, so I’ve opened an issue, and @aral will look into it.