macOS sandbox problem with auxiliary binaries

The bundle of my App contains a main binary "myMainBin" and an auxiliary binaries "myAuxBin".

myMainBin has the entitlement "com.apple.security.files.user-selected.read-write" and successfully read files.

Code Block 
	<plist version="1.0">
	<dict>
	  <key>com.apple.security.app-sandbox</key>
	    <true/>
	  <key>com.apple.security.files.user-selected.read-write</key>
	    <true/>
	</dict>
	</plist>

myAuxBin has the following entitlements
Code Block 
	<plist version="1.0">
	<dict>
	  <key>com.apple.security.app-sandbox</key>
	    <true/>
	  <key>com.apple.security.inherit</key>
	    <true/>
	</dict>
	</plist>

Once launched by myMainBin, myAuxBin has its own window and menubar
Despite of the "inherit" entitlement, its Open dialogue fails opening files with the console message:
Code Block 
	Sandbox: takin(5019) deny(1) file-read-xattr /Users/xxxxx/yyyy/myDataFile.data

But Why ?
How can I solve this problem ?


Another strange point
If the bundle is NOT sandboxed, myAuxBin inherits the icon of the bundle (shown in the dock).
If the bundle IS sandboxed, myAuxBin exhibits the default icon
Why ?
How can I solve this problem ?

Thank you in advance.
Up vote post of alain_grenoble Down vote post of alain_grenoble
1.4k views
Posted by
alain_grenoble
Reply
Add a Comment

Replies

myAuxBin has its own window and menubar

In that case I recommend that you package myAuxBin in its own bundle and then give it its own sandbox. Sandbox inheritance (com.apple.security.inherit) was designed for things like helper tools, which don’t have their own independent user-visible existence.

You can still nest this app within your main app, in either Contents/MacOS or Contents/Helpers.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Hi Quinn,
Thank you for your answer.
I will try bundling each auxiliary binary but this may imply making the macOS version quite different from the versions for other platforms, something I hoped I could avoid.
A remaining couple of questions:
1- when myMainApp calls myAuxBin shall it be through a Finder command "open" or can I still use a direct call to the binary within the MacOS folder ?
2- One of these auxiliary binary uses a classical Open dialogue to open a file but also opens with no dialogue a set of other files with the same name but different extensions. Is this compatible with sandboxing or is there a trick I should know ?
All the best
Linus
Posted by
alain_grenoble
Up vote reply of alain_grenoble Down vote reply of alain_grenoble
Add a Comment
On your 2nd question, it would be logical that you cannot make it "programmatically", but only through dialog.

The trick I use to solve (partially) the problem is to first ask an authorisation to access the folder itself, then all files created there are accessible.

But that will not work after users move their files…

In one word, sandboxing is a real headache (at least for me).
Posted by
Claude31
Up vote reply of Claude31 Down vote reply of Claude31
Add a Comment
Thanks Claude31, I will try that solution which, as you say, is not perfect. Since the folder may contain several file sets, this means asking first for the folder then asking for the file or file set.

sandboxing is a real headache (at least for me).
I agree with you.
Posted by
alain_grenoble
Up vote reply of alain_grenoble Down vote reply of alain_grenoble
Add a Comment

1- when myMainApp calls myAuxBin shall it be through a Finder
command open or can I still use a direct call to the binary within
the MacOS folder?

If the helper app has its own sandbox (that is, it sets com.apple.security.app-sandbox but not com.apple.security.inherit) then you can’t launch it as a child process (using Process, posix_spawn, or whatever). Rather, you have to launch it as an app using the Finder (which would be weird, and infeasible in a Mac App Store app) or NSWorkspace.

2- One of these auxiliary binary uses a classical Open dialogue to
open a file

For it to use the open panel it must be a proper GUI app, but you said it has its own menu bar and thus that shouldn’t be a problem.

but also opens with no dialogue a set of other files with the same
name but different extensions. Is this compatible with sandboxing or
is there a trick I should know?

That depends. You may be able to use the related items feature (see Related Items in the App Sandbox Design Guide) but that’s very limited. If this doesn’t work for you then there’s two standard options:

  • Ask the user (via the open panel) to grant you access to the entry directory.

  • Prompt the user (again via the open panel) for access to specific files you need access to.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment