Yes, you need to rebuild to make sandbox policy changes with the exception of a few things that are parameterized. One thing to try that can be set via prefs is to try setting the pref `security.sandbox.content.mac.disconnect-windowserver` to `false` with the sandbox enabled which would tell us if it is related to not having a WindowServer connection. Since setting `security.sandbox.content.level` to `1` did not avoid the problem, it's probably not caused by not having permission to read the filesystem. I suspect it's related to trying to connect to a mach service it doesn't normally connect to in a non-virtualized environment or has a timeout in this environment. These are logged with messages like `plugin-container(3912) deny(1) mach-lookup com.apple.lsd.modifydb` After the WindowServer test, what I would do for next steps is to look for the messages related to denying connection to a service (`com.apple.lsd.modifydb` in the above example) and allow that service in the content process policy with an allow rule by adding it to SandboxPolicyContent.h [here](https://searchfox.org/mozilla-central/rev/8011b6325f7ce05d228a3cdefd45d74fb98ee7b4/security/sandbox/mac/SandboxPolicyContent.h#168) making sure to get the parenthesis right. We might be able to find a single service connection attempt that is causing the delay. Do we have a method for running this VM type on a developer Mac?
Bug 1893921 Comment 55 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Yes, you need to rebuild to make sandbox policy changes with the exception of a few things that are parameterized. One thing to try that can be set via prefs is to try setting the pref `security.sandbox.content.mac.disconnect-windowserver` to `false` with the sandbox enabled which would tell us if it is related to not having a WindowServer connection. Edit: looking at the profile, the `NSAppShell::Init()` call is stuck in `NSColorGetUserAccentColor` which might be trying to connect to the WindowServer or something display-related. Since setting `security.sandbox.content.level` to `1` did not avoid the problem, it's probably not caused by not having permission to read the filesystem. I suspect it's related to trying to connect to a mach service it doesn't normally connect to in a non-virtualized environment or has a timeout in this environment. These are logged with messages like `plugin-container(3912) deny(1) mach-lookup com.apple.lsd.modifydb` After the WindowServer test, what I would do for next steps is to look for the messages related to denying connection to a service (`com.apple.lsd.modifydb` in the above example) and allow that service in the content process policy with an allow rule by adding it to SandboxPolicyContent.h [here](https://searchfox.org/mozilla-central/rev/8011b6325f7ce05d228a3cdefd45d74fb98ee7b4/security/sandbox/mac/SandboxPolicyContent.h#168) making sure to get the parenthesis right. We might be able to find a single service connection attempt that is causing the delay. Do we have a method for running this VM type on a developer Mac?