• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Entitlements and specific files/dirs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Entitlements and specific files/dirs

  • Subject: Re: Entitlements and specific files/dirs
  • From: Michael Vannorsdel <email@hidden>
  • Date: Thu, 18 Aug 2011 16:09:10 -0600
After lots of playing and reading of obscure documentation, it looks like Lion creates a duplicate library in the Containers folder so even a sandboxed app with no read or write file access still has access to its own Application Support, Caches, and Preferences folders, among others.  The file access setting refers to files opened through standard appkit api panels; accessing arbitrary files without user interaction is still blocked (only files users open with these apis even appear in your sandboxed world while everything else appears to not exist).

I also found that Allow Incoming Connections is the one that blocks port binding and general server type behavior.  The outgoing covers general client behavior like requesting and receiving data responses.

Hopefully this will help someone else as I can't point to any easy docs to refer to as this info was gather piecemeal from official and unofficial docs and through trial and error.


On Aug 18, 2011, at 10:08 AM, Sean McBride wrote:

> On Wed, 17 Aug 2011 03:17:30 -0600, Michael Vannorsdel said:
>
>> Apologies if this has been covered in the past but my searches did not
>> turn up anything as specific as I'm looking for.
>
> Are you talking about on Lion?  If so, there hasn't been much discussion of this new feature here yet.
>
>> Is there a way to refine sandbox entitlements to allow read/write access
>> to specific files and directories instead of just all or none?  For
>> instance, only allowing RW to Caches and Preferences but nowhere else.
>
> com.apple.security.temporary-exception.files.absolute-path.read-write
>
> But "temporary-exception" suggests you should file bugs for better solutions.
>
>> And on a side question, does outgoing network entitlement mean the
>> binding of a port for services or does it mean any outbound data such as
>> an http request?
>
> I believe it allows any connections.  I haven't seen a way to permit access to only some hosts or only some ports.

_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Entitlements and specific files/dirs (From: Michael Vannorsdel <email@hidden>)
 >Re: Entitlements and specific files/dirs (From: Sean McBride <email@hidden>)

  • Prev by Date: Re: -[UITable indexPathsForRowsInRect:] returning bogus paths?
  • Next by Date: Re: Find a frame of an item in an NSOutlineView?
  • Previous by thread: Re: Entitlements and specific files/dirs
  • Next by thread: Very different Document Saving in Lion, even without enabling asynchronous
  • Index(es):
    • Date
    • Thread