folder entitlements EPERM


Jack Brindle
 

You can open the desired System Preference Security Pane from your app to help the user with making the selection you need. Many apps have pretty cool dialogs that not only direct the user to the pane, but also point out exactly what needs to be done in that pane.

Do a web search for MacOS System Preference Links to find a listing of the URLs. As an example, the link for Full Disk is:
x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles

The interesting Objective-C code looks like:

[[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:@"x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles”]];

Enjoy!

Jack


On Jan 25, 2021, at 5:58 PM, Gerriet M. Denkmann <gerriet@...> wrote:



On 26 Jan 2021, at 08:28, Jack Brindle via groups.io <jackbrindle@...> wrote:

Not just app store apps, on Catalina and especially Big Sur, all apps.

The suggestion is to have the user drag the app to the “Full Disk Access” panel of the Security & Privacy’s Privacy pane. Then you should be able to get anywhere you’d like.

Thanks a lot! This is the perfect solution for my app:

System Preferences →  Security & Privacy → Privacy → Full Disk Access (bottom of left scroll view) → add or enable app in right scroll view.

Gerriet.


Jack


On Jan 25, 2021, at 3:36 PM, Jens Alfke <jens@...> wrote:



On Jan 25, 2021, at 9:12 AM, Gerriet M. Denkmann <gerriet@...> wrote:

There are quite a few folders, which behave absolutely normal using the Finder, but when my App tries to do:
open(folderPath, O_RDONLY)
it gets an EPERM error: "Operation not permitted”.

When my App  shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.

Isn't that just the normal behavior of the app sandbox? Sandboxed apps aren't allowed to access arbitrary areas of the filesystem, unless the user has implicitly given permission by navigating to a file/folder in an Open panel, or dropping a document, etc.

—Jens







Alex Zavatone
 

Check out how Carbon Copy Cloner does it if you haven’t seen it recently.

On Jan 25, 2021, at 7:58 PM, Gerriet M. Denkmann <gerriet@mdenkmann.de> wrote:



On 26 Jan 2021, at 08:28, Jack Brindle via groups.io <jackbrindle=me.com@groups.io> wrote:

Not just app store apps, on Catalina and especially Big Sur, all apps.

The suggestion is to have the user drag the app to the “Full Disk Access” panel of the Security & Privacy’s Privacy pane. Then you should be able to get anywhere you’d like.
Thanks a lot! This is the perfect solution for my app:

System Preferences → Security & Privacy → Privacy → Full Disk Access (bottom of left scroll view) → add or enable app in right scroll view.

Gerriet.


Jack


On Jan 25, 2021, at 3:36 PM, Jens Alfke <jens@mooseyard.com> wrote:



On Jan 25, 2021, at 9:12 AM, Gerriet M. Denkmann <gerriet@mdenkmann.de> wrote:

There are quite a few folders, which behave absolutely normal using the Finder, but when my App tries to do:
open(folderPath, O_RDONLY)
it gets an EPERM error: "Operation not permitted”.

When my App shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.
Isn't that just the normal behavior of the app sandbox? Sandboxed apps aren't allowed to access arbitrary areas of the filesystem, unless the user has implicitly given permission by navigating to a file/folder in an Open panel, or dropping a document, etc.

—Jens





Gerriet M. Denkmann
 

On 26 Jan 2021, at 08:28, Jack Brindle via groups.io <jackbrindle=me.com@groups.io> wrote:

Not just app store apps, on Catalina and especially Big Sur, all apps.

The suggestion is to have the user drag the app to the “Full Disk Access” panel of the Security & Privacy’s Privacy pane. Then you should be able to get anywhere you’d like.
Thanks a lot! This is the perfect solution for my app:

System Preferences → Security & Privacy → Privacy → Full Disk Access (bottom of left scroll view) → add or enable app in right scroll view.

Gerriet.


Jack


On Jan 25, 2021, at 3:36 PM, Jens Alfke <jens@mooseyard.com> wrote:



On Jan 25, 2021, at 9:12 AM, Gerriet M. Denkmann <gerriet@mdenkmann.de> wrote:

There are quite a few folders, which behave absolutely normal using the Finder, but when my App tries to do:
open(folderPath, O_RDONLY)
it gets an EPERM error: "Operation not permitted”.

When my App shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.
Isn't that just the normal behavior of the app sandbox? Sandboxed apps aren't allowed to access arbitrary areas of the filesystem, unless the user has implicitly given permission by navigating to a file/folder in an Open panel, or dropping a document, etc.

—Jens


Jack Brindle
 

Not just app store apps, on Catalina and especially Big Sur, all apps.

The suggestion is to have the user drag the app to the “Full Disk Access” panel of the Security & Privacy’s Privacy pane. Then you should be able to get anywhere you’d like.

Jack


On Jan 25, 2021, at 3:36 PM, Jens Alfke <jens@...> wrote:



On Jan 25, 2021, at 9:12 AM, Gerriet M. Denkmann <gerriet@...> wrote:

There are quite a few folders, which behave absolutely normal using the Finder, but when my App tries to do:
open(folderPath, O_RDONLY)
it gets an EPERM error: "Operation not permitted”.

When my App  shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.

Isn't that just the normal behavior of the app sandbox? Sandboxed apps aren't allowed to access arbitrary areas of the filesystem, unless the user has implicitly given permission by navigating to a file/folder in an Open panel, or dropping a document, etc.

—Jens


Jon Gotow
 

On Jan 25, 2021, at 5:16 PM, Ben Kennedy <ben-groups@zygoat.ca> wrote:

Presumably you could solicit access to the root of the volume once, and thereafter build URLs for the relevant subpaths based on the security-scoped URL returned by the panel.

Per https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html#//apple_ref/doc/uid/TP40011183-CH3-SW20 :
I got rejected from the App Store for doing that. However, there are lots of apps in the App Store that prompt for access to the root level of a disk using an Open dialog and get approved, so you may get lucky.

In my case, I didn't bother to fight it, as it was just for a free app (Go64). I released it directly on my website instead.

- Jon


Ben Kennedy
 

On 25 Jan 2021, at 9:12 am, Gerriet M. Denkmann <gerriet@mdenkmann.de> wrote:

When my App shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.

The problem: there might be a lot of these folders, and clicking dozens of OpenPanel becomes tedious rather fast.
Presumably you could solicit access to the root of the volume once, and thereafter build URLs for the relevant subpaths based on the security-scoped URL returned by the panel.

Per https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html#//apple_ref/doc/uid/TP40011183-CH3-SW20 :

When a user of your app specifies they want to use a file or a folder, the system adds the associated path to your app’s sandbox. Say, for example, a user drags the ~/Documents folder onto your app’s Dock tile (or onto your app’s Finder icon, or into an open window of your app), thereby indicating they want to use that folder. In response, the system makes the ~/Documents folder, its contents, and its subfolders available to your app.
-ben


 



On Jan 25, 2021, at 9:12 AM, Gerriet M. Denkmann <gerriet@...> wrote:

There are quite a few folders, which behave absolutely normal using the Finder, but when my App tries to do:
open(folderPath, O_RDONLY)
it gets an EPERM error: "Operation not permitted”.

When my App  shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.

Isn't that just the normal behavior of the app sandbox? Sandboxed apps aren't allowed to access arbitrary areas of the filesystem, unless the user has implicitly given permission by navigating to a file/folder in an Open panel, or dropping a document, etc.

—Jens


Gerriet M. Denkmann
 

macOS 11.1

There are quite a few folders, which behave absolutely normal using the Finder, but when my App tries to do:
open(folderPath, O_RDONLY)
it gets an EPERM error: "Operation not permitted”.

When my App shows an OpenPanel (with this un-opened folder), and the user clicks ok, then the open() works just fine.

The problem: there might be a lot of these folders, and clicking dozens of OpenPanel becomes tedious rather fast.

So: is there some special entitlement, like: "com.apple.security.folders which usually need user action.read-only” ?

Or any ideas, how to handle this?

Gerriet.