Has anyone gotten Postgres to run in a sandboxed app? I am compiling Postgres 18 myself from source and have tried to patch it so it doesn't use sysv (shmem) but it apparently has all kinds of invocations of sysv and once it's sandboxed has issues, e.g.:
2026-02-24 18:26:05.014 EST [4384] FATAL: semctl(65596, 16, SETVAL, 536) failed: Operation not permitted
Does anyone know of a way to either make the sandbox relax or make Postgres compatible with sandboxing? I have tried passing flags to initdb to use POSIX semaphores but it always wants to use sysv so I'm finding myself super deep in the weeds of the Postgres source code.
Has anyone gotten Postgres to run in a sandboxed app?
Not personally, but I can shed some light on the App Sandbox side of this.
System V IPC is a compatibility API an macOS. We recommend against using it in new code. Given that, it shouldn’t come as a big surprise that it doesn’t have a good story regarding the App Sandbox.
The alternative, Posix IPC, works in the App Sandbox as long as you conform to the naming guidelines described in App Groups Entitlement [1].
So, to make this work you’ll need to:
- Sign your executables to claim access to an app group.
- Configure the library to use Posix IPC.
- With a name that’s authorised by that app group.
I don’t have any expertise with this specific third-party library, so I’ve no insight into the last two. I’m happy to help with the first. I have lots of background on that in App Groups: macOS vs iOS: Working Towards Harmony.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
