With the launch of Lion, Apple added a new security feature to the operating system: The Application Sandbox. It encourages application authors to specify what subset of system functionality their app needs to function correctly, in order to reduce the impact of a malicious or compromised app. See the Mac OS X Developer Library or the ars technica Lion review for more info on this.

As a part of this, Apple added a set of entitlements labeled “temporary exceptions” (here’s a complete list), most likely to simplify and speed up adoption of this new technology. Your app can claim to need one of these “temporary” entitlements to do certain things that otherwise wouldn’t be allowed by the Sandbox. For GrabBox I need to have read-only access the users desktop — which falls under this category.

I’ve been spending some time today trying to figure out how to get the com.apple.security.temporary-exception.files.home-relative-path.read-only entitlement working. The documentation is sparse, and there’re no samples as far as I can tell. After many attempts, I finally figured out the key piece of information keeping me from getting this working: The path you specify in the entitlement needs to start with a slash. For example, instead of specifying Desktop, you specify /Desktop.

Here’s an example of a valid entitlement plist:

Info.plist
1
2
3
4
5
6
7
8
9
10
11
12
13
<pre><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
        <array>
                <string>/Desktop</string>
                <string>/Dropbox</string>
        </array>
</dict>
</plist>

I assume this applies to the com.apple.security.temporary-exception.files.home-relative-path.read-write entitlement as well.

I hope this saves other people trying to get this working a little bit of time. :–)

Comments