User Profile

hiI have a rules file like this(version 1) (deny default) ... (allow file-write* (regex "/Users/thomas/Desktop"))When I use it on app A, it works fine (the app can write to the desktop) but when use it on app B, it doesn't work (the app cannot save a file to the desktop). So I made a test app (app C), a simple cocoa app that just writes a dummy string to a file, and it still doesn't work. If I replace (allow file-write* (regex "/Users/thomas/Desktop")) with (allow file-write*) it works on app B and C too, so I know that's the only thing that's wrong.So I really don't understand what's going on. How can it work for app A but not for B or C? Especially given that:allowing all file-writes works (so I know the regex is the culprit, even though it works for app A (I tested that the app A can save to Desktop but not to other locations)app C is minimal and is not a "blackbox"I tried tons of different variations: literal instead of regex, "^/Users/thomas/Desktop", "^/Users/thomas/Desktop/" , "^/Users/thomas/Desktop/*", ...apps A, B and C are not sandboxed apps if I run them normally (I can check this in the activity monitor)Thanks in advance for your help!

My app is sandboxed (and cannot open or write any file). I was curious what happened to child processes. I had my app execute a bash script (that just writes to a file). The behaviour was expected: the script, launched by my sandboxed app, was sandboxed too.However, when I tried to have my app launch another app (not mine), the child app was not sandboxed. I was curious what was different?I launch my script with[task setLaunchPath: @"/bin/bash"];[task setArguments:@[@"path/to/script.sh"]];[task launch];and my app with[task setLaunchPath: @"/usr/bin/open"];[task setArguments:@[@"-a", @"/Applications/some.app"]];[task launch];Note that the same problem happens when launching the app with [[NSWorkspace sharedWorkspace] launchApplication:@"/Applications/some.app"]; and with posix_spawn.Apple's docmentions that child processes should inherit sandbox properties, but also mentions that helper apps should include some entitlements properties to do so.What behaviour should we see? Also, how could I make child processes inherit from sandbox properties?ThanksThomas