简体繁体 English

OS X沙箱问题

[英]OS X sandboxing questions

原文 2011-12-23 10:17:44 6 2 macos/ cocoa/ sandbox

I have a Mac application in the App Store and am looking to adopt sandboxing before it becomes a mandatory requirement. 我在App Store中有一个Mac应用程序，并希望在成为强制性要求之前采用沙盒。 I've run into two issues and was hoping to post here for some insight into best practice in the following situations: 我遇到了两个问题，并希望在此处发布有关以下情况下最佳实践的一些见解：

Within my application I use an NSOpenPanel to prompt the user to load a proprietary file format. 在我的应用程序中，我使用NSOpenPanel提示用户加载专有文件格式。 After loading the file my application parses it and gathers a list of NSURLs to local files. 加载文件后，我的应用程序对其进行解析，并收集本地文件的NSURL列表。 These local files are then passed to NSImage's initWithContentsOfURL: method. 然后将这些本地文件传递到NSImage的initWithContentsOfURL：方法。 Unfortunately, the act of loading the image files causes the sandbox to cancel the action. 不幸的是，加载图像文件的操作导致沙箱取消该操作。 I understand that this happens because the user has given my application explicit permission to open the file selected by the NSOpenPanel, but not for the files referenced within my proprietary format. 我知道发生这种情况是因为用户已授予我的应用程序显式权限来打开由NSOpenPanel选择的文件，而不是我专有格式中引用的文件。 How can I handle this (supposedly fairly common) situation? 如何处理这种（据说相当普遍）的情况？
I have a unix executable file contained within my applications bundle that I would like to execute using an NSTask. 我的应用程序捆绑包中包含一个unix可执行文件，我想使用NSTask执行该文件。 Is this legal under sandboxing, given that the script is contained within my bundle? 鉴于脚本包含在我的捆绑软件中，在沙盒下合法吗？

If anyone could clarify the above points, that would be appreciated. 如果有人可以澄清以上几点，将不胜感激。

2 个解决方案

1) From my understanding the NSURL object contains the permissions necessary to re-access the files later, so if you are using hardcoded paths, you could replace them with archived NSURL objects. 1）据我了解，NSURL对象包含以后重新访问文件所必需的权限，因此，如果您使用的是硬编码路径，则可以将它们替换为已归档的NSURL对象。 This is also assuming the user selected those filies within an NSOpenPanel at an earlier point. 这也假设用户在较早的时候在NSOpenPanel中选择了那些文件。

2) You can run a NSTask but it inherits the permissions of your main app. 2）您可以运行NSTask，但它会继承主应用程序的权限。

Hopefully others can chime in with more information. 希望其他人可以提供更多信息。 I've found the Mac Developer Boards , specifically the "Application Sandboxing" forums to be helpful, as Apple employees often drop in. So far, I've found sandboxing to be an unusable mess. 我发现Mac开发者委员会，特别是“应用程序沙箱”论坛是有帮助的，因为Apple员工经常加入。到目前为止，我发现沙箱是一个不可用的烂摊子。

Easy one first: you can run your helper with NSTask and it will inherit the sandbox of your app. 第一步很简单：您可以使用NSTask运行您的帮助程序，它将继承您应用程序的沙箱。

Those URLs: not easily/reliably/at all. 那些网址：不容易/可靠/根本没有。 There is a way to save NSURLs to files you have access to in such a way that a subsequent run of your application and re-load them and regain access, however it is deemed fragile and not to be recommended. 有一种方法可以将NSURL保存到您可以访问的文件中，这样可以在以后运行应用程序并重新加载它们并重新获得访问权限，但是这被认为是脆弱的，因此不建议这样做。 Read the Apple developer forums and this is an Apple acknowledged problem they are "working on"; 阅读Apple开发人员论坛，这是他们正在“解决”的Apple公认问题； given this using the fragile solution is probably not worth the effort - search the developer forums for the fragile solution if you really want to hack something that sort of works now. 鉴于此，使用脆弱的解决方案可能不值得花大功夫-如果您真的想立即破解某些可行的方法，请在开发者论坛上搜索脆弱的解决方案。