I'm not 100% sure if I'm doing something wrong here or it just doesn't work, but I can't seem to duplicate this bug on my iPhone XR (iOS 13.3, jailbroken).

Creating a new app with this tutorial simply sends "Nope" (since /private/var/... is not readable) even with a properly codesigned (afaik) app. (I also tried doing this on my own app previously with other entitlements and it didn't work, this was just to verify that it doesn't work). I have tried signing with codesign -d --entitlements [path].app [entitlements file] -f -s "[dev profile]" and then installing with ios-deploy (or from Xcode). I also tried using this gist. I seems like the apps are correctly being signed with the comments, but the entitlements are not being applied.

To see if the apps are actually signed with the entitlements, I ran jtool2 on them:

This implied that the codesigning succeeded. However, in the embedded.mobileprovision, these entitlements do not exist (although strangely, the wireless configuration entitlement does).

Firstly thanks so much for sharing this, I am certainly having fun!

Despite being a no-container and platform-application app, the file APIs NSHomeDirectory(), URLsForDirectory, NSSearchPathForDirectoriesInDomains etc. are all still returning the data container (and its not writeable) rather than the /var/mobile I was expecting. I'm not sure but it could be because the app is launched from a container path. Are you aware of any way to fix that?

FYI NSUserDefaults is already correctly saving its plist to /var/mobile

Have you any experience with Frida? I tried to create a simple “HelloWorld” sort of app, linked in the Frida “Gadget” library, and used your entitlements exploit in the Info.plist of the app. Frida doesn’t seem to be able to escape the sandbox:
escape.py
var db = SqliteDatabase.open(‘/private/var/mobile/Library/SMS/sms.db’)
Uses Frida’s facility to open Sqlite database. This generates an error. If I access a db within the HelloWorld app’s context, I’m able to do this. If I run this on a jailbroken phone, I’m able to get at the db (obvs). Any thoughts?

Hi my app requires opening a socket with AF_SYSTEM which I can achieve with platfom-application and ...-no-container in my psychic paper, however given these have other side-effects I thought I'd ask if you know of a more specific entitlement for this? Before console logs went private it was the one that outputs "'deny system socket".

I've tried to make use of the task-for-pid-allow entitlement to get the task port of a process on iOS but I cannot get it working:
I could get the task port but every operation on it failed,

task_for_pid(mach_task_self(), child_pid, &target_task)
task_info(target_task, TASK_DYLD_INFO, (void *) &tdi, &cnt);

I believed it was because my app is missing the TF_PLATFLORM=1 flag and someone was suggesting to use posix_spawn on an actual platform binary and then use its entitlements but even in this case I get an error when I try to use the child task both with or without the flag SUSPENDED:

pid_t child_pid;
char *argv[] = { "/bin/ps",  NULL };
int status;
posix_spawnattr_t attr;
 status = posix_spawnattr_init(&attr);
if (status != 0) {
      perror("can't init spawnattr");
 }
status = posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);
if (status != 0) {
    perror("can't set flags");
}
int s  = posix_spawn(&child_pid, "/bin/ps", 0, &attr, argv, NULL);
task_for_pid(mach_task_self(), child_pid, &target_task)
task_info(target_task, TASK_DYLD_INFO, (void *) &tdi, &cnt);

do you have any advice to make this work? am I missing something?