Monitoring a folder in sandboxed application

Question

How would I monitor the users Trash so that when a file is added I can send an action.

Thanks in advance!

Answer 1

A sandboxed application cannot access the Trash. Sandboxed applications are sandboxed for security reasons and in the Trash may be all kind of documents a user has deleted and that a sandboxed application would have never had access to in their former destination. Of course a user expects that those files are still save once they are put into the Trash.

If it really makes sense for your app to access the Trash, eg because it is a Trash Management app (stupid example, I know), Apple will still grant your application access to the Trash, if you only ask for it. Therefor you need to specify a Temporary Exception Entitlement , either of the type

com.apple.security.temporary-exception.files.home-relative-path.read-only

if read-only access is enough for you or

com.apple.security.temporary-exception.files.home-relative-path.read-write

if you also need write access. Those are the keys in the entitlement dictionary and the value is an array of strings, each string specifies a directory. In your case they array would contain /.Trash , which translates to /Users/<username>/.Trash for the current user. Eg:

<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array>
  <string>/.Trash</string>
</array>

This will allow your app to be partially freed from its sandbox, as long as it only accesses this directory (or its sub-directories).

Note that Apple will only approve an app that uses one of the Temporary Exception Entitlements under certain conditions which are listed on the App Store Connect webside (you must login to see that side and you need an Apple ID with permission to use App Store Connect).

AFAIK those conditions include that you must file a bug report with Apple's Feedback Assistant (again, you must log in to the webside, but this time every Apple ID is allowed to log in) and you must explain Apple why you need this exception as otherwise your app cannot do whatever it is supposed to do. You better be good at explaining that! If Apple doesn't consider your use case legitimate, they will close this bug as invalid and then your app submission will be rejected. If the bug is considered valid, you must tell Apple that your app uses a temporarily entitlement when you submit the App and you must point Apple to the bug report you have created. They will read it again and if the store team agrees with the development team that this is a valid reason, they will allow your submission to pass through.

Once your app has the appropriate entitlement, you should be able to monitor Trash the same way as a not sandboxed app can do so. Eg using the FSEvent API . With the function FSEventStreamCreate() you can create a FSEventStreamRef that monitors a certain path (in your case the Trash), calls a user defined callback function whenever the contents at this path changes and can be scheduled on a RunLoop. Once scheduled, whenever the content of the directory changes, the callback function is called. In the callback function you may do whatever you want to do, eg to get a higher level event (since the callback function is only plain C, so you may want to post a NSNotification that you can handle in your Obj-C code, eg in your UI code) or maybe directly call an Obj-C method of some object (stored in the callback context, a global variable or which is accessible as a singleton, etc.)