How to launch another process in sandbox on Mac?

Question

I'd like to launch another own application by LSOpenApplication() in Sandbox on Mac.

Of course, I added a row into 'com.apple.security.temporary-exception.files.absolute-path.read-write' in an entitlements file for launching.

However, when launching, console spat out an error which is Not allowing process xxxx to launch "foo.app" because it has not been launched previously by the user. It is able to launch without errors after launched the process manually once.

How can I launch the process even if not launch previously? Is this no relation with sandboxing?

Answer 1

There are very few conditions under which you'll be able to launch another application and have the desired outcome. com.apple.security.temporary-exception.files.absolute-path.read-write doesn't gain you anything with regard to LaunchServices so you can remove that entitlement.

As a sandboxed application you are fairly limited in what you can actually sub-launch, this is an intentional behavior as launching another application is technically a violation of the sandbox model. the ways available to you are:

1. include an XPC Service in your application and have launchd launch it for you
2. you can run an application via NSTask, which will cause this application to inherit your sandbox when launched
3. you can launch an application by name, though from what i've seen this generally only works if the application is in your /Applications folder, i.e. -[NSWorkspace launchApplication:]
4. you can launch an application that encloses your app, but only if you've been SMLoginItemSetEnabled()

I'd say the osascript call works because its doing roughly the same as -[NSWorkspace launchApplication:]. none of the LS calls that accept bundle identifiers or absolute/relative paths are going to work.