Fix `curl` with `c-ares` failing to resolve DNS inside sandbox on macOS #14792

Enzime · 2025-12-16T15:54:07Z

@Mic92 it seems like you commented on the commits so they don't show up at all in PR view as far as I can tell

@Mic92:

Can you explain what line does
Is it allowing all micro kernel syscalls that are sent to the dns service?

I'm not 100% sure if they're syscalls, my understanding is that c-ares uses the SystemConfiguration.framework and that's why it needs that sandbox permission:

https://github.com/c-ares/c-ares/blob/16c873c2e58325a1872ff85881284357c15c9084/src/lib/ares_sysconfig_mac.c#L91-L94

The way I figured out what sandbox permissions were missing from this profile by running:

$ nix build --print-build-logs --option darwin-log-sandbox-violations true ... $ /usr/bin/log show --predicate 'eventMessage CONTAINS "deny" AND eventMessage CONTAINS "curl"' --last 2m Filtering the log data using "composedMessage CONTAINS "deny" AND composedMessage CONTAINS "curl"" Skipping info and debug messages, pass --info and/or --debug to include. Timestamp Thread Type Activity PID TTL 2025-12-16 15:47:29.803630+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-metadata /System/Cryptexes/OS 2025-12-16 15:47:29.809728+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-data /private/etc/passwd 2025-12-16 15:47:29.809737+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-metadata /private/etc/passwd 2025-12-16 15:47:29.809768+0100 0xa683b Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) mach-lookup com.apple.system.notification_center 2025-12-16 15:47:29.809866+0100 0xa683b Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) mach-lookup com.apple.logd 2025-12-16 15:47:29.810242+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-data /dev/autofs_nowait 2025-12-16 15:47:29.810267+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-data /private/etc/passwd 2025-12-16 15:47:29.810272+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-metadata /private/etc/passwd 2025-12-16 15:47:29.810367+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-data /dev/autofs_nowait 2025-12-16 15:47:29.812502+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-metadata /System/Cryptexes/App 2025-12-16 15:47:29.812506+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-metadata /System/Cryptexes/OS 2025-12-16 15:47:29.812519+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-data /System/Library/Preferences/Logging/Subsystems/com.apple.xpc.plist 2025-12-16 15:47:29.812538+0100 0xa683b Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) mach-lookup com.apple.SystemConfiguration.DNSConfiguration 2025-12-16 15:47:29.812612+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-metadata /private/etc/hosts 2025-12-16 15:47:29.812627+0100 0xa711a Error 0x0 0 0 kernel: (Sandbox) Sandbox: curl(44985) deny(1) file-read-data /private/etc/hosts

And then I tried different sets of sandbox rules to get it working

We also have some (allow mach-lookup ...) lines at the bottom of this file for trustd

I don't loading the library itself is issue. It looks like com.apple.SystemConfiguration.DNSConfiguration is a so called mach service.

So I just learned there are Mach Ports, which is an kernel-managed message queue and processes can register well-known names for those. When a process does a mach-lookup it receives the right to communicate to this port. In this case the dns configuration service.

c-ares uses the dns_configuration_copy function which requires the com.apple.SystemConfiguration.DNSConfiguration service I believe

https://github.com/c-ares/c-ares/blob/16c873c2e58325a1872ff85881284357c15c9084/src/lib/ares_sysconfig_mac.c#L118-L119

https://github.com/c-ares/c-ares/blob/16c873c2e58325a1872ff85881284357c15c9084/src/lib/ares_sysconfig_mac.c#L337

The function is defined here:

https://github.com/apple-open-source/macos/blob/f60c49b581c54dfc3367b3ebc5b7904fd7d5db7b/configd/dnsinfo/dnsinfo_copy.c#L83

-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ R""( @@
     ; Allow DNS lookups.
     (allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
+    (allow mach-lookup (global-name "com.apple.SystemConfiguration.DNSConfiguration"))
     ; Allow access to trustd.
     (allow mach-lookup (global-name "com.apple.trustd"))
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix `curl` with `c-ares` failing to resolve DNS inside sandbox on macOS #14792

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Enzime Dec 16, 2025 •

edited

Loading

Uh oh!

Mic92 Dec 16, 2025

Uh oh!

Mic92 Dec 16, 2025

Uh oh!

Enzime Dec 16, 2025

Uh oh!

Uh oh!

Uh oh!

Fix curl with c-ares failing to resolve DNS inside sandbox on macOS #14792

Uh oh!

Fix curl with c-ares failing to resolve DNS inside sandbox on macOS #14792

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Enzime Dec 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Mic92 Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Mic92 Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Enzime Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Fix `curl` with `c-ares` failing to resolve DNS inside sandbox on macOS #14792

Fix `curl` with `c-ares` failing to resolve DNS inside sandbox on macOS #14792

Enzime Dec 16, 2025 •

edited

Loading