How to Run a Shell Script with Mac App Sandbox Ena

2019-05-27 01:33发布

问题:

Is it possible to have an app, that runs within the sandbox, execute a shell script? The script makes use of two basic commands:

defaults write
killall

I know that there are some exceptions to the sandbox, that can be added via the entitlements file, but not sure wheter it would be possible to have the user confirm the execution of the small script and then run it?

Please give me a practical hint... When I run my app with sandbox off, everything works fine. With sandbox on both commands are not working and this is shown in the console:

killall: warning: kill -TERM 12322: Operation not permitted

回答1:

Why would you want to sandbox such a powerful App it in the first place? Do you want to modify defaults and killall for specific other apps (somehow possible) or for "all that exist on the machine"?

If for specific other apps, why not do it without shell? For defaults write use com.apple.security.temporary-exception.shared-preference.read-write and add the domains you'd like to modify (eg. com.apple.DigitalColorMeter) and use CFPreferencesSetValue()

For killall use com.apple.security.temporary-exception.apple-events and run an Applescript / send AppleEvents to terminate specific processes.



回答2:

Scripts can be run from the NSApplicationScriptsDirectory directory when the app is Sandboxed.

NSURL *scriptsDirectory = [[NSFileManager defaultManager] URLForDirectory:NSApplicationScriptsDirectory inDomain:NSUserDomainMask appropriateForURL:nil create:YES error:&error];

So how does a user grant access for an application that wants to run scripts?

The mechanism is surprisingly simple: your application can only run scripts from a specific folder in the user’s account. The only way scripts can get into that folder is if the user copies them there. Essentially, OS X gives you a read-only view of what’s in those scripts.

https://www.objc.io/issues/14-mac/sandbox-scripting/

A great article on the subject ^^^



回答3:

If you have a good reason you can kill applications like this:

How can I terminate my app in a helper app with sanboxing enabled?