Limit file access to certain folders for command line app

I'm writing an app that needs access to the file system, but only certain folders. These folders will be relative to where the tool runs.
For example, if the tool runs in /some-dir I want the tool to be limited to accessing:
/some-dir/project-dir
~/.my-settings-dir
I've looked into sandbox-exec, but not only is it deprecated, it also does not work as expected when allowing file access with (allow file-write*). For some reason, files written via the FileManager in Foundation are not allowed to be written, even though the sandbox configuration is correct. If I spawn a child process and use some other util that writes data to those secure subpaths (like touch or curl) the sandboxing seems to be working. See example config below.


(version 1)
(deny default)
(allow file-write* file-write-data
(subpath "/some-dir")
)

What other options are there to enable some kind of sandboxing? I'm currently only interrested in limiting access to the file system.
I've also investiageted the suggested methods at https://developer.apple.com/app-sandboxing/ but from what I undestand, you can only get access to custom file locations by asking the user via NSOpenPanel, which is not possible from a command line tool.

Thanks.

/Simon

Replies

Why are you bothering with this? If this is a command line tool, just let it run. Don't try to impose security restrictions above and beyond what the OS already does. Don't bother with the sandbox unless you are releasing for the Mac App Store.


You can have a command-line tool that shows a user interface. In fact, all apps are essentially command line tools. There are certain system services that require an app bundle (or more commonly, and event loop) to work properly, but there is no way to tell in advance when you will hit that problem. You just have to run NSApplicationLoad() early in the app's lifecycle.

Hi, and thanks for your answer.
The reason I want this is to add some additional safety around the file operations performed by the tool. Basically, I don't want to write or remove files by misstake.
/S

Hi Simon, I am trying to do this as well, but have been unable to. Have you found any idea?