Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does a Mac sandboxed app get access to when the user selects a folder?

Tags:

macos

sandbox

I'm reading about Mac app sandboxing and am wondering what exactly happens when a user selects a folder in an NSOpenPanel or NSSavePanel. The “App Sandbox Design Guide” gives the following example:

When a user of your app specifies they want to use a file or a folder, the system adds the associated path to your app’s sandbox. Say, for example, a user drags the ~/Documents folder onto your app’s Dock tile (or onto your app’s Finder icon, or into an open window of your app), thereby indicating they want to use that folder. In response, the system makes the ~/Documents folder, its contents, and its subfolders available to your app.

It's not clear to me what's meant by the “contents” here. Is this limited to seeing what files are in the folder without being able to read what's in those files? Or does this simply mean that the app will be able to read any file that's (recursively) inside the Documents folder (so it can, for example, read both ~/Documents/Foo.txt and ~/Documents/Bar/Baz.txt)? And what about write operations (writing to an existing file, deleting one or creating a new file or folder)?

like image 220
Rinzwind Avatar asked Oct 07 '12 18:10

Rinzwind


People also ask

What does sandbox do on Mac?

The App Sandbox is an access control technology that macOS provides and enforces at the kernel level. The sandbox's primary function is to contain damage to the system and the user's data if the user executes a compromised app.

What does it mean when an app is sandboxed?

Android sandboxThe Android platform isolates apps from each other and protects them -- and the overall system -- from malicious apps and intruders. Android assigns a unique user ID (UID) to each application to create a kernel-level sandbox. This kernel ensures security between apps and the system at the process level.

How do you give applications access to a folder on a Mac?

On your Mac, select a disk, folder, or file, then choose File > Get Info. If the information in Sharing & Permissions isn't visible, click the arrow . Select a user or group in the Name column, then choose a privilege setting from the pop-up menu. Read & Write: Allows a user to open the item and change it.

How does application sandboxing improve macOS security?

Essentially, an app's processes are enforced with customizable rules, such as the ability to read or write specific files. The App Sandbox also restricts the processes' access to system resources and user data to minimize the impact or damage if the app becomes compromised.


1 Answers

The app can read all files in the selected folder as well as its subfolders. Same is true for writing, both for new files as well as overwriting existing ones. Deleting is also possible as well as new folder creation, folder movement within the bounds of the folder (or other folders you have the required rights for).

Simply put, you have the freedom to do whatever you want within this folder and its subfolders.

Caveat: When the save panel opens up and it shows Documents as target, it might be ~/Library/Containers/<app signature>/Data/Documents. You may change the location, but the first time I was baffled after the file had successfully been saved but was not located at ~/Documents.

like image 161
JustSid Avatar answered Sep 28 '22 10:09

JustSid