What is the entitlement to allow reading of file in a Mac OS X App? (deny file-read-data error)

Question

I am making a Mac OS X App (sandboxed) which reads from an installed config file in /etc/myfolder. When I am trying to read the file using NSFileHandle, I am getting the following error in Console:

sandboxd: ([3251]) MyApp(3251) deny file-read-data /private/etc/myfolder/myconfig.conf

I have set the following entitlements in my Entitilements file, but I still get denied by sandboxd.

• com.apple.security.temporary-exception.files.home-relative-path.read-only
• com.apple.security.temporary-exception.files.absolute-path.read-only
• com.apple.security.files.user-selected.read-only

EDIT: It seems that I have misused

com.apple.security.temporary-exception.files.absolute-path.read-only.

I set it as a Boolean. I was under the impression that setting it to YES will enable all file reads using absolute paths. The value of the above entitlement must be the absolute path that will be permitted.

Answer 1

You need to use com.apple.security.temporary-exception.files.absolute-path.read-only and the absolute path /private/etc/myfolder/myconfig.conf - the (10.8.3) sandbox doesn't seem to accept the /etc/myfolder/myconfig.conf path containing the symbolic link.

Note: If you are sandboxing for the Mac App Store you will probably face a near impossible task getting your app accepted with a temporary entitlement to read files in /etc. You would be better off storing this file in your app's container - in the MAS every app is an island surrounded by shark infested waters.