When developing… | When adopting App Sandbox… |
---|---|
Add features | Minimize system resource use |
Take advantage of access throughout your app | Partition functionality, then distrust each part |
Use the most convenient API | Use the most secure API |
View restrictions as limitations | View restrictions as safeguards |
.entitlements
property list file and shows it in the project navigator..entitlements
property list file directly.NSHomeDirectory
function.Library
directory (specified by the NSLibraryDirectory
search path constant) for use only by your app, with individual Application Support
and Preferences
subdirectories. NSTemporaryDirectory
function provides a path to a directory that is outside of the user’s home directory but specific to your app and within your sandbox; you have unrestricted read/write access to it for the current user. The behavior of these path-finding APIs is suitably adjusted for App Sandbox and no code change is needed.com.apple.security.application-groups
entitlement to request access to one or more shared containers common to multiple apps produced by the same development team. The entitlement is an array of group identifier strings, each of which names a different group to which the app belongs. Group containers are intended for content that is not user-facing, such as shared caches or databases.~/Library/Group Containers/<application-group-id>
, where <application-group-id>
is the name of a group, as specified in one of the entitlement’s group identifier strings. Group identifiers must begin with your development team ID, followed by a period.containerURLForSecurityApplicationGroupIdentifier:
method of NSFileManager
with a valid group identifier.Library/Preferences
, Library/Caches
, and Library/Application Support
folders within that group container directory.Library
folder is organized, using standard folder names--Preferences
, Application Support
, and so on—as needed.NSOpenPanel
and NSSavePanel
classes. You enable Powerbox by setting an entitlement using Xcode, as described in Enabling User-Selected File Access in Entitlement Key Reference.NSOpenPanel
and NSSavePanel
classes, described in Open and Save Dialog Behavior with App Sandbox.~/Documents
folder onto your app’s Dock tile (or onto your app’s Finder icon, or into an open window of your app), thereby indicating they want to use that folder. In response, the system makes the ~/Documents
folder, its contents, and its subfolders available to your app.NSTemporaryDirectory
./tmp
directory is not accessible from sandboxed apps. Use the NSTemporaryDirectory
function to obtain a temporary location for your app’s temporary files.Info.plist
file and code to tell the sandbox what you’re doing..rtf
to .rtfd
(and it becomes a directory).NSFileCoordinator
object to coordinate access to the file. Before you rename the file, call the itemAtURL:willMoveToURL:
method. After you rename the file, call the itemAtURL:didMoveToURL:
method.NSFilePresenter
protocol. This object should provide the main file’s URL as its primaryPresentedItemURL
property, and should provide the secondary file’s URL as its presentedItemURL
property.addFilePresenter:
class method on the NSFileCoordinator
class to register itself.Info.plist
file. Your app should already declare a Document Types (CFBundleDocumentTypes
) array that declares the file types your app can open.NSIsRelatedItemType
with a boolean value of YES
.NSOpenPanel
and NSSavePanel
methods behave differently when App Sandbox is enabled for your app:ok:
method.panel:userEnteredFilename:confirmed:
method from the NSOpenSavePanelDelegate
protocol.NSOpenPanel
and NSSavePanel
classes is different with App Sandbox, as illustrated in Table 2-2.Without App Sandbox | NSOpenPanel : NSSavePanel : NSPanel : NSWindow : NSResponder : NSObject |
With App Sandbox | NSOpenPanel : NSSavePanel : NSObject |
NSOpenPanel
or NSSavePanel
object inherits fewer methods with App Sandbox. If you attempt to send a message to an NSOpenPanel
or NSSavePanel
object, and that method is defined in the NSPanel
, NSWindow
, or NSResponder
classes, the system raises an exception. The Xcode compiler does not issue a warning or error to alert you to this runtime behavior.NSOpenPanel
dialog to obtain the user’s intent to use a specific folder. Then, create an app-scoped bookmark for that folder and store it as part of the app’s configuration (perhaps in a property list file or using the NSUserDefaults
class). With the app-scoped bookmark, your app can obtain future access to the folder./private
or /Library
).com.apple.security.files.bookmarks.app-scope
entitlement value to true
.com.apple.security.files.bookmarks.document-scope
entitlement value to true
.bookmarkDataWithOptions:includingResourceValuesForKeys:relativeToURL:error:
method of the NSURL
class.URLByResolvingBookmarkData:options:relativeToURL:bookmarkDataIsStale:error:
method of the NSURL
class.startAccessingSecurityScopedResource
method on the URL.stopAccessingSecurityScopedResource
method on the resource’s URL.stopAccessingSecurityScopedResource
method, you immediately lose access to the resource. If you call this method on a URL whose referenced resource you do not have access to, nothing happens.CFURLCreateBookmarkData
, CFURLCreateByResolvingBookmarkData
,CFURLStartAccessingSecurityScopedResource
, and CFURLStopAccessingSecurityScopedResource
in CFURL Reference.<path/to/app>
placeholder, substitute the path to the Apple-signed version of your app. Instead of manually typing the path, you can drag the app’s Finder icon to the Terminal window.<container name>
placeholder, substitute the name of your app’s container directory. (The name of your app’s container directory is typically the same as your app’s bundle identifier.)asctl
(App Sandbox control) tool.fork
, for example) simply inherits its parent’s sandbox, helper apps do not. Therefore, if you are submitting your app to the Mac App Store, verify that any embedded helper apps are also individually sandboxed.<executable-path>
is the complete path to an executable binary in your app bundle.posix_spawn
function, by calling fork
and exec
(discouraged), or by using the NSTask
class simply inherits the sandbox of the process that created it. You cannot configure a child process’s entitlements. For these reasons, child processes do not provide effective privilege separation./Applications
and the app bundle and all contents are owned by root.spctl
tool as follows:LSOpenCFURLRef
, for example) or indirectly (by calling the launchApplicationAtURL:options:configuration:error:
method in NSWorkspace
, for example).deny file-write-data /Applications/Main.app/Contents/Resources/Helper.app
sandbox violation. This error has no functional impact and can be ignored./
), followed by a name of your choosing..
), followed by a name of your choosing.Z123456789.com.example.app-group
, you might create two semaphores named Z123456789.myappgroup/rdyllwflg
and Z123456789.myappgroup/bluwhtflg
. You might create a Mach port named Z123456789.com.example.app-group.Port_of_Kobe
.