I've written a program in the Mac App store which displays some graphics. Occasionally it updates these off the internet. As with most folks, I'm having to Sandbox my app now.
Almost everything is working, but when updating it saves a file in my app's own bundle and fails with 'sandboxd: deny file-write-create'
I just use fopen(..., "wb")
The path passed into fopen is:
/Users/MyUser/Library/Developer/Xcode/DerivedData/MyApp-czuwveatgjffaggwqjdqpobjqqop/Build/Products/Debug/My.app/Contents/Resources/the_file.foo
The path is created using:
CFBundleRef bundle = CFBundleGetMainBundle();
CFURLRef url = CFBundleCopyResourcesDirectoryURL(bundle);
CFURLGetFileSystemRepresentation(url, true, (UInt8*)buf, sizeof(buf));
Am I doing something obviously wrong here? My app is multi-platform so ideally I'd keep using fopen/etc. As I understood, the app should be allowed to write into its own bundle, even if it is blocked from doing anything elsewhere?
thanks!
OS X apps should never write into the app bundle (even if they aren't sandboxed). In OS X, the application doesn't have any more access to the file system than the user does on their own, and the user (generally) won't have permissions to modify anything in /Applications. Note that this is quite different from iOS apps, which normally store their data inside the app bundle.
In OS X, application data is generally stored in each user's Library folder, in one of a number of subfolders depending on the type of data it is; see Apple's note on "The Library Directory Stores App-Specific Files" for the primary ones. Sandboxing complicates this, because each app gets its own Container inside the user's Library. Apple provides a number of methods for determining the correct location for various kinds of data; see "Determining Where to Store Your App-Specific Files".
Related
I'm signing a .dmg containing a .app with a valid Developer ID profile. Everything is signed, frameworks included. When I run codesign -dvvv, the right certificate appears and satisfies its Designated Requirement. The application runs fine.
However, when I upload and download the .dmg, the signature "disappears". When I run codesign -dvvv, it says code object is not signed at all. And GateKeeper naturally refuses to run the application.
Note: it sounds a lot like this issue but I'm definitely signing with the right Developer ID certificate, and the .dmg does not appear "damaged".
[Note: the situation changed significantly in OS X v10.11.5 and v10.12; this answer has been updated to reflect that.]
In general, the thing you really need to sign is the files (mainly the app) inside the disk image, not the image itself. After the image is downloaded, the signature on the individual items will be checked as they are used. Starting in OS X 10.11.5, signing disk images is properly supported and sometimes required, but that's in addition to signing the relevant items inside it.
Through OS X v10.11.4, you could sign the disk image itself (with codesign -s "Developer ID Application: [your company]" example.dmg), but the signature this creates is stored in the form of extended attributes attached to the image file. Actually, it creates three xattrs, named com.apple.cs.CodeDirectory, com.apple.cs.CodeRequirements, and com.apple.cs.CodeSignature. The critical thing to realize is that these attributes are filesystem metadata -- that is, they're attached to the file, not part of the file's contents. The HTTP protocol has very limited support for filesystem metadata, so when you upload or download via HTTP (or FTP or...), it only transfers the file's contents, and the xattrs are lost.
You can see the xattrs with the ls -l# command (and in even more detail with the xattr command):
$ ls -l# example.dmg
-rw-r--r--# 1 gordon staff 338590 Nov 13 2013 example.dmg
com.apple.cs.CodeDirectory 120
com.apple.cs.CodeRequirements 172
com.apple.cs.CodeSignature 8515
com.apple.diskimages.fsck 20
com.apple.diskimages.recentcksum 81
After downloading, the image will have lost those attributes (and probably gained com.apple.quarantine and com.apple.metadata:kMDItemWhereFroms from the download process), and hence will not be considered signed. The files contained in it, on the other hand, should still be properly signed (since their signatures are part of the image file's contents.)
Starting in OS X v10.11.5, codesign supports embedding the signature into the disk image itself, so that it will survive being downloaded over HTTP. Starting in v10.12, gatekeeper will enforce additional restrictions on apps in unsigned disk images that will prevent the app from loading additional content (mainly dynamic libraries) from the disk image, unless they're contained inside the app itself. If you don't know whether that's relevant to your app, go ahead and sign the disk image (actually, it's a good idea anyway), but be sure to run codesign under 10.11.5 or later or the signature won't be in a useful format!
I have a 32-bit windows old application (with the C/Win32 source) that creates its data file in the same folder where the executable is.
Because the application has no installation program and the user can place the executable wherever he/she wants, the application has a dialog to inform the user where its data is located.
But under Microsoft Vista/Seven if the user puts the application in the Program Files or any other system-protected folder the data file gets virtualized and moved to a virtual-store.
If, under Vista/Seven, I still want to inform the user where the data file is located:
(without preventing virtualization in the manifest file)
How can I know (programatically) if the data file is virtualized? Or if the folder where the executable is located implies that data file will be virtualized?
Assuming I know the data file is virtualized, how can I know (programatically) the location of the virtual folder, to show it in the information dialog?
I have found the following question very close to what I'm asking but it doesn't show the solution (if any) of knowing when virtualization is taking place for a file, and where it gets virtualized.
How to detect file redirection to the Windows VirtualStore?
Virtualization is transparent to the app. The only way to know whether it is being virtualized is to ask the OS, per the answer in the question you linked to (use GetTokenInformation() with the TokenVirtualizationEnabled flag), but there is no way (that I know of) of asking the OS where the virtualized items are actually stored, as it may be different from one OS version to the next. You will have to do some research and then hard-code the paths for each given OS that your app detects at runtime.
If you are going to update your code to detect virtualization, then you are better off updating the code to play nicer with UAC instead. Stop storing your files where they do not belong, and start storing them where Microsoft wants you to store them. In this case, within the user's profile instead. Use SHGetFolderPath() or related function to locate the user's CSIDL_LOCAL_APPDATA folder (or SHGetKnownFolderPath() on Vista+ to locate the FOLDERID_LocalAppData folder), then create a subfolder underneath it for your app to store its data files in.
I am writing a command line tool. There I'd like to create a directory in the /Users/user_name/Library directory. When I run that program from Terminal as a root, then everything is ok, but the problem is when I want to use that tool as a backend for cups (that program is called, also as root, when I print something). The program is called, but in the system.log file I found the error: sandboxd: deny file-write-*. I'm a new Mac OS X programmer and I'm not sure how to fix it. Anybody can help me?
Since Snow Leopard cups is running in a sandbox that prevents it from misbehaving - like accessing user's home. Depending on your OS X version you can get away by using another directory, not user's home. On Lion it is even more restrictive than that. The sandboxing rules are built-in to the cups binary (as opposed to sb scripts), so your only luck may be replacing cups with a version that specifically allows access to what you need in the sandbox (if you really want to go there, the rules are defined by cupsdCreateProfile in cups/scheduler/process.c). AFAICT there is nothing you can do in your application, because sandboxing is designed to prevent exactly what you are trying to do.
Another alternative is to not run cups as root, because sandboxing is only used when cups is run as root.
I am writing a MailStatistics app that need to go to the file ~/Library/Mail/Envelop Index to get the mail information. My app does not write anything into the file system but when I submitted it to the Apple Store, the app gets rejected because: "Apps that do not comply with the Mac OS X File System documentation will be rejected"
Does anyone know all possible reasons that can lead to this specific rejection
I think I know the problem, it may be because I set the mode to become READWRITE instead of READONLY. I changed it back and hope that Apple will accept it this time
Windows lets you develop a filter driver to catch file I/O's on VFS. But I can't seem to find something similar for Mac. It does have something called Filter Schemes, but those are for HFS+. Anyone know if there is a way for me to intercept file I/O's on Mac without using programs like MacFUSE?
I found out that Mac OS X does not allow filter drivers at all.
“A stacking file system (sometimes called a filter file system) sits on top of another file system and modifies its behavior in some way. The canonical example of a stacking file system is an encryption file system. You could stack this file system on top of any existing file system to provide encryption support. Apple does not support the development of stacking VFS plug-ins on Mac OS X” (http://developer.apple.com/mac/library/qa/qa2001/qa1242.html)
kauth (introduced in OS X 10.4) is the closest thing to FS filter drivers.
Here is a nice write-up on the various APIs present on Mac OS X. It should be a good starting point.
Link
I'm not at all familier with the Windows technologies that you mention, but it sounds like you might be looking for FSEvents.
http://developer.apple.com/mac/library/documentation/Darwin/Conceptual/FSEvents_ProgGuide/Introduction/Introduction.html
The file system events API provides a
way for your application to ask for
notification when the contents of a
directory hierarchy are modified. For
example, your application can use this
to quickly detect when the user
modifies a file within a project
bundle using another application.
It also provides a lightweight way to
determine whether the contents of a
directory hierarchy have changed since
your application last examined them.
For example, a backup application can
use this to determine what files have
changed since a given time stamp or a
given event ID.
You should read this document if your
application works with a large number
of files—particularly if your
application works with large
hierarchies of files.