Read Extended Attributes with Finder Sync Extension

Question

Eyal Redler OP

Created Dec ’22

Replies 5

Boosts 0

Views 1.3k

Participants 2

I'm working on adding a finder sync extension to an app. The app is not sandboxed.

In essence, the app is operating on files located in folders that the user chooses, the app stores the status information in an extended attribute for each file.

The extension needs to monitor these folders and and assign a badge according to the state indicated in the extended attribute.

Everything is working fine, I can get the app and extension to communicate which folders to watch, I can manipulate the files with the app, setting the extended attributes and the extension is getting requestBadgeIdentifierForURL called.

However, attempting to read the the extended attribute using getxattr() is blocked by the sandbox.

I tried creating an app group and to store the folder urls as security scoped bookmarks in the group but this fails when trying to resolve the bookmark.

In retrospect this makes sense since the security scoped bookmark is supposed to be used for accessing the same url by the same app in the same sandbox which is not the case when dealing with an un-sandboxed app and a sandboxed Finder Find Extension.

I read somewhere (here: https://developer.apple.com/forums/thread/66259?page=2) from someone, quoting DTS on a similar issue that he can either communicate to the main app process to get the information or use document scoped security scoped bookmarks but I'm having trouble finding information about document scoped bookmarks and I'm not sure if it makes sense either.

Thanks in advance

Eyal

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’22

Is this problem just with extended attributes? Are you able to read the data fork of the file?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Eyal Redler OP

Jan ’23

Thanks for replying. I didn't check with reading the file in other ways so I can't say the problem is exclusive to accessing extended attributes.

Am I supposed to be able to read a file a file from a sandboxed extension? It seems to be implied from your question. Perhaps I'm misreading.

0

Answer 3

DTS Engineer OP

Apple

Jan ’23

Am I supposed to be able to read a file a file from a sandboxed extension?

Yes, although there are significant restrictions. I go over this in some detail in On File System Permissions.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

Eyal Redler OP

Jan ’23

Thanks, the post is very helpful in general and I will refer to it in the future, but if I'm reading it correctly it doesn't provide a path to do what I want. Please correct me if I'm wrong. Here's my reasoning:

My app is not sandboxed.
The extension is sandboxed (because it must be).
The folders the extension watches and need to access files in (at least the extended attributes) are chosen arbitrarily by the user when using the app.

This means that: a. I cannot gain access to these folders vie "File Access Temporary Exceptions" or "Standard Location" entitlements because the folders can be anywhere the user chooses. b. I cannot gain access to these folders by extending the sandbox because the app is not sandboxed and therefore the extension is not inheriting the sandbox from the app.

The only thing that is not entirely clear here is the essence of my original question:

Can a non-sandboxed app give access via a security scoped bookmark to a sandboxed finder sync extension?

My attempts to do so failed but I'm not sure if it was because it is not possible or because I did something wrong.

Again, thanks for the very illuminating post you wrote, it clarified many questions I had before.

0

Answer 5

DTS Engineer OP

Apple

Jan ’23

I cannot gain access to these folders by extending the sandbox because the app is not sandboxed and therefore the extension is not inheriting the sandbox from the app.

Right. App extensions are launched in their own sandbox, not launched as a child process of the app (indeed, the app typically isn’t running when the appex launches).

Standard practice here is for the app to allow the user to choose the directory and then pass a bookmark for that to the appex. The appex then resolves that bookmark to gain access. And once it has access, it creates and saves a security-scoped bookmark to maintain that access.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0