Why is sandbox not blocking this code?

I have a brand new AppKit App Delegate based application to showcase the issue I'm having.

I've set "User Selected File" in the sandbox entitlements to none.

I've changed the app delegate file to the following.

Code Block
import Cocoa
import SwiftUI
@main
class AppDelegate: NSObject, NSApplicationDelegate {
var window: NSWindow!
func applicationDidFinishLaunching(_ aNotification: Notification) {
let url = URL(fileURLWithPath: "/Library/LaunchDaemons")
if let enumerator = FileManager.default.enumerator(at: url, includingPropertiesForKeys: [.isRegularFileKey, .isDirectoryKey], options: [.skipsHiddenFiles, .skipsPackageDescendants]) {
for case let fileURL as URL in enumerator {
print(fileURL);
do {
let contents = try String(contentsOf: fileURL, encoding: .utf8)
print(contents)
} catch {
}
}
}
}
func applicationWillTerminate(_ aNotification: Notification) {
// Insert code here to tear down your application
}
}


This code gets all files in the /Library/LaunchDaemons path, prints their url and also prints their content.

At this point I'm confused. I was under the impression the sandbox is supposed to be blocking this code? Instead, the fileUrl and the contents are happily printed out.

Is my understanding of sandbox incorrect? Why is this code able to run?
Just to add, it does seem that user folders are blocked (such as "/User/<name>/Desktop)", but it will happily let me put "/" as the path and print out files and folders.
From App Sandbox Design Guide, it says the app has access to the following locations

Temporary directories, command-line tool directories, and specific world-readable locations. A sandboxed app has varying degrees of access to files in certain other well-defined locations

So I'm guessing the access I'm seeing is encapsulated by that?

The App Sandbox does not, in general, block access to /Library. This is because the /Library directory contains a bunch of stuff that’s used by system frameworks and those frameworks need to work inside a sandboxed app. However, it does block particularly sensitive areas within /Library.

Now, you could argue that /Library/LaunchDaemons is particularly sensitive (1), and if you want to make that argument to the App Sandbox team the best way to do that is to file a bug against the sandbox.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(1) And speaking personally, I kinda agree with you (-:
Why is sandbox not blocking this code?
 
 
Q