legacyScreenSaver Sandboxing CFPreferences

I have a .saver which attempts to launch a helper .app and the helper app is struggling under Catalina (beta 1-3).

The .saver is launching the .app using a simple call to Process.Launch


The errors look like this:

rejecting read of { com.mycompany.saver.77300306, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 1281 (myScreensaver) because accessing preferences outside an application's container requiresuser-preference-read or file-read-data sandbox access



What's interesting:

  • the error happens in my app before I do any reading or writing of CFPreferences - it appears to be the Appkit framework itself
  • the CFPreferences are being read from kCFPreferencesAnyUser, kCFPreferencesCurrentHost, which seems wrong - shouldn't it be CurrentUser? I would expect that a sandboxed process would have no permissions to write to the AnyUser domain.
  • also, when the app launches, it opens a WKWebView, which fails to render properly.



What I've tried:

  • I've tried adding / removing changing the plist for my helper app (sandbox, sandbox inherit, various entitlements) but nothing seems to have any effect.
  • I've found a partial workaround, which is to set the CFBundleIdentifier to the path to the container, e.g. /Users/username/Library/Containers/com.apple.ScreenSaver.Engine.legacyScreenSaver/Data/Library/Preferences/com.mycompany.saver.77300306 This prevents all the error messages in console;
  • however WKWebView still fails to load.