I'm writing an app that needs access to the file system, but only certain folders. These folders will be relative to where the tool runs.
For example, if the tool runs in /some-dir I want the tool to be limited to accessing:
/some-dir/project-dir
~/.my-settings-dir
I've looked into sandbox-exec, but not only is it deprecated, it also does not work as expected when allowing file access with (allow file-write*). For some reason, files written via the FileManager in Foundation are not allowed to be written, even though the sandbox configuration is correct. If I spawn a child process and use some other util that writes data to those secure subpaths (like touch or curl) the sandboxing seems to be working. See example config below.
(version 1)
(deny default)
(allow file-write* file-write-data
(subpath "/some-dir")
)
What other options are there to enable some kind of sandboxing? I'm currently only interrested in limiting access to the file system.
I've also investiageted the suggested methods at https://developer.apple.com/app-sandboxing/ but from what I undestand, you can only get access to custom file locations by asking the user via NSOpenPanel, which is not possible from a command line tool.
Thanks.
/Simon