Accessing contents of a directory with App Sandbox temporary file exception

If you really, really need access to a path that Apple doesn’t want you to access while sandboxed (i.e. everywhere except what user selected, or a few paths like Documents, Music, Downloads) — you need to add a temporary file exception entitlement.

While these are intended as a stop-gap measure and are not intended for long-term use, they may help you solve your short-term problem.

How to use

After adding entitlements to your app (by marking that checkbox in Xcode), and after turning on Sandbox (again, by marking another checkbox in Xcode), you can see that a new plist-formatted file has appeared in your project with a single entry, com.apple.security.app-sandbox set to true.

Now add a new entry com.apple.security.temporary-exception.files.home-relative-path.read-only (or any of the other combinations of home-relative-path, absolute-path, read-only and read-write). Its type needs to be Array, and its contents need to be Strings.

I only used a single read-only, home-relative path. It needs to be formatted as follows: /Library/Somewhere/Some Data/

Gotchas

First of all… as mentioned, it’s not a String value, it’s an Array value containing strings.

Second… with NSFileManager, you are getting actual values for the first level of contents (e.g. folders), but when accessing subfolders you’re getting nil returnvalue and the error set to The file “2011-07-28” couldn’t be opened because you don’t have permission to view it.? Heh. See that slash on the end? It NEEDS to be there. It absolutely, 100% needs to be there, or else you’re getting the aforementioned permission denied error.

Third… you may be wondering, “How the hell am I going to get the user folder? NSHomeDirectory() is returning a path inside the sandbox container, and so do all other methods!”

Sure, if you stick to Cocoa. Apple has wrapped everything nicely, and I actually commend them on thoroughness. Even getpwent() returns incorrect values – I got /var/virusmail as the home folder.

There’s one thing that does return the username, however: NSUserName(). Don’t be easily tempted to construct the path by simply prepending /Users/. On my external drive, I tend to keep “recent cats” and “future cats”, in order to try everything out, but avoid breaking my workflow. However, it’s worthless unless I bring over the home folder, so on that installation, my home folder is not /Users/ivucica but /Volumes/Macintosh HD/Users/ivucica. Be careful, and use this solution.

#include 
#include 

NSString * IVHomeDirectory()
{
  const struct passwd * passwd = getpwnam([NSUserName() UTF8String]);
  if(!passwd)
    return nil; // bail out cowardly
  const char *homeDir_c = getpwnam([NSUserName() UTF8String])->pw_dir;
  NSString *homeDir = [[NSFileManager defaultManager] 
                      stringWithFileSystemRepresentation:homeDir_c
                      length:strlen(homeDir_c)];
  return homeDir;
}

// simple drop-in replacement for NSSearchPathForDirectoriesInDomains(NSLibraryDirectory, NSUserDomainMask, YES);
NSArray * IVLibraryDirectory()
{
  NSArray * libraryDirectories = [NSArray arrayWithObject: [IVHomeDirectory() stringByAppendingPathComponent:@"Library"]];
  return libraryDirectories;
}

Above solution is inspired by this answer on StackOverflow.

If this helped you, leave me a comment here, and perhaps upvote those comments I made on StackOverflow. Everyone deserves encouragement now and then, right? 🙂


via blog.vucica.net

2 thoughts on “Accessing contents of a directory with App Sandbox temporary file exception

    1. Ivan Vučica Post author

      You will probably still want to use stringWithFileSystemRepresentation:, and you will probably still want to error-check getpwuid() before accessing pw_dir, but yeah — this is nicer than basing it off of NSUserName().

      Thanks!

      Reply

Leave a Reply

Your email address will not be published.

 

What is 4 + 14 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

This site uses Akismet to reduce spam. Learn how your comment data is processed.