Execute launchctl in sandboxed mac app

Question

I need to execute the launchctl load/unload command from my sandboxed OSX app. The app has read-write permissions to the folder where the launch agent's plist file resides (using security scoped bookmarks which the user of the app is granting before).

However the app gets the following error:

-
5/22/13 9:15:56.420 AM sandboxd[28463]: ([28473]) launchctl(28473) deny file-read-data /private/var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist
-

To make it clear, I do not want to add my own app to the launch items for autostart and I also found this http://www.mail-archive.com/[email protected]/msg80413.html conversation on a similar topic without any results yet.

Answer 1

The file /private/var/db/launchd.db/com.apple.launchd.peruser.501/overrides.plist cand only be read or write by the administrator user (root). So for launchctl load\unload to work you must be root, or use sudo, to elevate, before the command. But, in sandbox you are not allowed to do this.

Depending on your needs you can use an Helper app. Take a look at Adding Login Items Using the Service Management Framework.

Answer 2

In order for an application to do something that requires a privileged operation, Apple suggests that a helper app is created, which can only be called to run by the parent application, due to being signed. The helper app is launched with elevated permissions and performs the minimum required actions. Take a look at SMJobBless here: -

http://developer.apple.com/library/mac/#samplecode/SMJobBless/Introduction/Intro.html

As it states: -

SMJobBless demonstrates how to securely install a helper tool that performs a privileged operation and how to associate the tool with an application that invokes it.