I am writing a sandboxed macOS application in Objective-C / Swift. I am interested in terminating other applications programmatically. In Cocoa, there is a NSRunningApplication class that exposes the following methods:
- (BOOL)terminate;
- (BOOL)forceTerminate;
The documentation for both methods says:
Sandboxed applications can’t use this method to terminate other applications. This method returns false when called from a sandboxed application.
I am used to cryptic documentation from apple, and I was thinking: The docs clearly say that this method cannot be used to terminate other applications if called from a sandboxed app, but from the wording, they suggest that there could be another method. Does anybody know a way to terminate an instance of NSRunningApplication from a sandboxed app ? Many thanks for your help.
In general, I'm pretty sure the answer is no. That would defeat the purpose of sandboxing, and I don't think there's an entitlement for gaining access to process services or signals.
There are particular circumstances where you might be able to terminate another process by asking the process to terminate itself. For example a server that accepts socket connections might have a command it can accept as part of its communication protocol that tells it to quit. Obviously that's going to be specific to each such process.
For the general case think you'd need to remove the sandbox capability, which means no App Store placement for the app - and if I'm not mistaken the only OS in Apple's ecosystem that even allows running unsandboxed apps at all is macOS, so except for a Mac app, even testing it wouldn't be officially possible.
However, if it is a Mac app and you unsandbox it, then the app will need sufficient privileges to terminate other apps. That's usually accomplished by creating a privileged helper tool, which requires using
SMJobBlessto launch. You can run the app itself with the privileges but that's a bad idea for security reasons. Normally you want just the the part that implements the functionality requiring elevated privileges to actually have the elevated privileges, which means a separate process. Hence the helper tool.Setting up helper tools for elevated privileges is kind of a pain, but you may find this GitHub repo useful (disclaimer: it's my fork of another project).