• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Sandboxing and calling Launchctl
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing and calling Launchctl

  • Subject: Sandboxing and calling Launchctl
  • From: Mark Allan <email@hidden>
  • Date: Tue, 29 May 2012 09:52:57 +0100
Hi all,

I posted this to the developer forums yesterday but I think this list probably gets a good bit more eyeball than the forum, so I'm sending here too. Sorry for the cross-post if you're seeing it twice.  Anyway...

I'm trying to put together the last bits and pieces of sandboxing my app but I've just hit a problem.  I don't appear to be able to use launchctl to schedule tasks any more.

With my app sandboxed, I'm launching an NSTask with the following launch path and arguments:
> /bin/launchctl load -w /Users/mark/Library/Containers/<my app identifier>/Data/Library/LaunchAgents/<my app identifier>.helpername.plist


I'm using the correct APIs to get the path and read/write the helpername.plist file.  As per other command line tools I launch via NSTask, launchctl is presumably inheriting the same entitlements as my main application, but launchctl obviously needs to modify other files to which my app normally wouldn't have access - namely:
/private/var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist


The inherited entitlements don't allow access to that file, so I'm seeing this from sandboxd in the log file:
> launchctl(4831) deny file-read-data /private/var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist
and
> launchctl(4831) deny job-creation

I'm also seeing this in Xcode's run log:
> Bug: launchctl.c:2425 (25957):1: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR)) != -1
> launch_msg(): Socket is not connected

As the user ID in the filename which launchctl is trying to write will be different for different users, I don't think I can set a temporary entitlement for it (haven't tried yet, that's today's task!), and even if I can, it doesn't seem like the right answer for long-term use.

Has anyone else come across this problem?  If so, how did you solve it?

Many thanks
Mark
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Sandboxing and calling Launchctl
      • From: Mark Allan <email@hidden>
    • Re: Sandboxing and calling Launchctl
      • From: Stephane Sudre <email@hidden>
  • Prev by Date: Re: crashes loading saved file
  • Next by Date: Re: NSTextInputClient Protocol Question
  • Previous by thread: Re: Another sandboxing issue
  • Next by thread: Re: Sandboxing and calling Launchctl
  • Index(es):
    • Date
    • Thread