macOS: run APFS formatter elevated

APFS volume creation can still fail with Permission denied after preparing the raw and block device aliases because newfs_apfs performs privileged APFS container and volume operations beyond opening the device nodes.

Route APFS formatting through the elevated CoreService path for non-root macOS runs. Keep the elevated interface narrow by sending only the target device and invoking user UID/GID, validate the device path on the privileged side, rebuild the formatter arguments there, and execute /sbin/newfs_apfs by absolute path to avoid PATH shadowing.

Pass -U/-G so the created filesystem preserves the invoking user ownership. Apply the same path to GUI and text-mode creation.

src/Main/Forms/VolumeCreationWizard.cpp

@@ -843,7 +843,9 @@ namespace VeraCrypt
 					{
 						RestoreMacOSXFormatterDeviceOwners (*finally_arg);
 					});
-					PrepareMacOSXFormatterDevice (virtualDevice, changedDeviceOwners);
+					bool useElevatedAPFSFormatter = UseElevatedMacOSXAPFSFormatter (fsFormatter);
+					if (!useElevatedAPFSFormatter)
+						PrepareMacOSXFormatterDevice (virtualDevice, changedDeviceOwners);
 #else
 					UserId origDeviceOwner ((uid_t) -1);
 
@@ -888,10 +890,19 @@ namespace VeraCrypt
 						}
 					}
 
+#ifdef TC_MACOSX
+					if (IsMacOSXAPFSFormatter (fsFormatter) && !useElevatedAPFSFormatter)
+						AddMacOSXAPFSFormatterUserArgs (args);
+#endif
+
 					args.push_back (string (virtualDevice));
 
 					SetCreationProgressText (StringFormatter (LangString["FORMAT_STAGE_CREATING_FILESYSTEM"], fsFormatter));
+#ifdef TC_MACOSX
+					ExecuteMacOSXFilesystemFormatter (fsFormatter, args);
+#else
 					Process::Execute (fsFormatter, args);
+#endif
 					SetCreationProgressText (LangString["FORMAT_STAGE_DISMOUNTING_TEMP_VOLUME"]);
 				}
 #endif // TC_UNIX