Mac Sandbox: testing whether a file is accessible

Asked 9/5, 2012 at 9:2 Answered 10/12, 2013 at 5:37

Solved macos cocoa mac-app-store sandbox

Does anybody know whether there's a way of finding out whether a particular file system location is accessible under the sandbox?

I want to test whether a particular file is accessible under the normal Powerbox rules; that is has already been added to the power box using the open/ save dialog, etc.

Can I do this before triggering a sandbox exception?

Can I catch a sandbox exception?

Best regards,

Frank

Ossy answered 9/5, 2012 at 9:2 Comment(1)

I'm curious why you want to test if a location is accessible. Typically, you specify which locations are accessible in the entitlements, and then get access to other files through the open/save box. – Dincolo 9/5, 2012 at 11:6

You can use the OS access() system call for a quick and simple test, from man access:

#include <unistd.h>

int access(const char *path, int amode);

The access() function checks the accessibility of the file named by path for the access permissions indicated by amode. The value of amode is the bitwise inclusive OR of the access permissions to be checked (R_OK for read permission, W_OK for write permission and X_OK for execute/search permission) or the existence test, F_OK. All components of the pathname path are checked for access permissions (including F_OK).

If path cannot be found or if any of the desired access modes would not be granted, then a -1 value is returned and the global integer variable errno is set to indicate the error. Otherwise, a 0 value is returned.

You could pretty this up for Objective-C using something like:

typedef enum
{
   ReadAccess = R_OK,
   WriteAccess = W_OK,
   ExecuteAccess = X_OK,
   PathExists = F_OK
} AccessKind;


BOOL isPathAccessible(NSString *path, AccessKind mode)
{
   return access([path UTF8String], mode) == 0;
}

Osterman answered 9/5, 2012 at 10:46 Comment(5)

How do you know this works with Powerbox restrictions? These aren't traditional Unix access rights, you know... (assumption #1: the path would be the same, assumption #2: failure would not terminate the program) – Dincolo 9/5, 2012 at 11:1

Well, I tried it and it works fine. The Sandbox does intercept unix level calls and it looks like the check does not trigger any sandboxd messages either. Excellent! Thanks a million. – Ossy 9/5, 2012 at 12:48

@DietrichEpp - The sandbox operates at the OS level; i.e. "below" Cocoa, Posix, Mach etc. Calls like access() take account of the restrictions imposed by the sandbox, by ACLs, and by the traditional Unix rwx settings. – Osterman 9/5, 2012 at 19:4

@CRD: I was just wondering where this was documented, since I couldn't find it. – Dincolo 9/5, 2012 at 19:23

@DietrichEpp - I don't know if its documented directly as such, but then the sandbox documentation would hardly fill a shelf ;-) As it is part of the OS it underlies all the system calls and library APIs. Certainly not all library APIs produce "sandboxified" results, but none should bypass the sandbox restrictions (though the sandbox is certainly not bug free). For system calls, such as access, to produce wrong answers would pretty much break the OS in sandbox mode. – Osterman 9/5, 2012 at 21:1

A few things. Always use fileSystemRepresentation when you need a path string. Also, R_OK is adequate if you just want to know if there is a hole in the sandbox for the specified path.

-(BOOL)isAccessibleFromSandbox:(NSString*)path
{
    return( access( path.fileSystemRepresentation, R_OK) == 0 );
}

Taggart answered 10/12, 2013 at 5:37 Comment(0)

Recommended topics

Hot tags