Let's say a sandboxed Cocoa-based Application spawns an instance of SSH. So far so good, the SSH process is starting.
The problem is, how to allow the child process to read files (e.g. ~/.ssh/config or ~/.ssh/known_hosts, or even ~/.ssh/my_specific_rsa_id)?
Thank you!
Your spawned process inherits the sandbox of its parent, if this was not the case any process could break out of the sandbox...
You can enable your parent process to have access to these files, either by requesting that access right from the user (and then saving it for subsequent runs using a security-scoped bookmark) or through temporary entitlements.
If you are a developer go to the developer forums and search on SSH in the sandbox topic. The issue is well covered and advice from Apple engineers is available.
If you are not a developer, ditch the sandbox - at least for this app - you're just creating problems for yourself.