entitlement for user home dir --specific folder rw MacOS

Question

Created Nov ’20

Replies 5

Boosts 0

Views 2.3k

Participants 3

Been scouring on this --
Having sandboxed with --options runtime --timestamp --entitlements and the following in the entitlements.xml, while code signing

<key>com.apple.security.app-sandbox</key> <true/>

the app needs access to user home dir to add logs and permanently stored keys for the MacBook/user.

Having added this also
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array> <string>/.myorg/</string> </array>

Still unable to add log files or create the .myorg directory in the users' home dir, but rest of the app works.. The very first install and activation triggers some permanent keys created and stored in that dir.

Unsigned app works, but the signed one with entitlements does not. No directory is created.

Any other entitlements I am missing? Appreciate some pointers here. Thanks in advance.

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’20

Having sandboxed with …

Are you sandboxing the app because you plan to distribute it via the Mac App Store? Or sandboxing it because it’s the right thing to do?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

soft_tech OP

Nov ’20

Thanks Eskimo! Answer is "both" ; Want to be friendly to the apple eco-system and at the same time give users confidence that our app is sandboxed. Please let me know if anything I am missing or how to trouble shoot this last hurdle for us. Thanks in anticipation.

0

Answer 3

DTS Engineer OP

Apple

Nov ’20

Answer is "both"

OK. You are likely to run into troubles with the App Store side of this. My experience is that App Review takes a dim view of folks using temporary exception entitlements.

Having said that, this entitlement is working for me. I have my app signed as:

Code Block  % codesign -d --entitlements :- Test666634.app
…
<dict>
  <key>com.apple.security.app-sandbox</key>
  <true/>
  <key>com.apple.security.get-task-allow</key>
  <true/>
  <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
  <array>
    <string>/.myorg/</string>
  </array>
</dict>
</plist>

I have this code in my app:

Code Block  @IBAction
private func testAction(_ sender: Any) {
    let realHomeDir = URL(fileURLWithFileSystemRepresentation: getpwuid(getuid()).pointee.pw_dir, isDirectory: true, relativeTo: nil)
    let configDir = realHomeDir.appendingPathComponent(".myorg")
    let uuid = UUID().uuidString
    let newFile = configDir.appendingPathComponent("test-\(uuid).txt")
    do {
        print(newFile)
        try uuid.write(to: newFile, atomically: false, encoding: .utf8)
        print("OK")
    } catch {
        print("NG \(error)")
    }
}

IMPORTANT that I use getpwuid to find the user’s real home directory. If your app is sandboxed, things like homeDirectoryForCurrentUser return the root of the app’s container.

When I run this it prints:

Code Block  file:///Users/quinn/.myorg/test-F2249F1B-129B-471A-AE25-FA258E895935.txt
OK

And the file shows up in the expected place:

Code Block  % ls -lh .myorg
…
-rw-r--r--@ 1 quinn  staff    36B 15 Nov 16:10 test-F2249F1B-129B-471A-AE25-FA258E895935.txt

This is building with Xcode 12.2 and running on 10.15.7.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Etresoft OP

Nov ’20

the app needs access to user home dir to add logs and permanently stored keys for the MacBook/user.

Why does the app need access to the user home directory for this? You can store logs anywhere. Put them in NSHomeDirectory() and you're done.

What are these "keys" you are talking about? You could store those in NSHomeDirectory() too. But it sounds like they could be user default settings which should go into NSUserDefaults(). If they need to be more secure than that, you can store them in the keychain. By "secure" I don't necessarily mean encrypted, just safe from user and 3rd party app vandalism. Users will often delete first and ask questions later. Sometimes, they use "app zapper" or "clean up" tools to do this at scale.

0

Answer 5

soft_tech OP

Nov ’20

Thanks again Eskimo and Etresoft for such quick replies. We now understand better, how sandbox works :)

We did not need that explicit exception to use the user's home dir, but can work with container provided workspace, which in fact is now the new home for our app. Container Data folder is persistent across sessions.

Hoping to get a quick approval from MacOS store review team. Good day.

0