I'm writing a Mac application that takes a file as input, lets the user do metadata manipulation, then sends the file to a Python script to handle the output. This works really well without sandboxing. As with everything, sandboxing makes it difficult.
The python library I've embedded in my NSBundle is calling some MimeTypes libraries owned by the System, but these are trying to open /etc/apache2/mime.types, which I don't have in my sandbox, and is failing with error: IOError: [Errno 1] Operation not permitted: '/etc/apache2/mime.types'.
Here are my entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
And here is the full traceback:
Traceback (most recent call last):
File "/Users/thomaspritchard/Library/Developer/Xcode/DerivedData/Chapters-ejrappchxzcmqxdjlzydqffndmtk/Build/Products/Debug/Chapters.app/Contents/Resources/EditChaptersScript.py", line 3, in <module>
import eyed3 # ID3 Writer
File "/Users/thomaspritchard/Library/Developer/Xcode/DerivedData/Chapters-ejrappchxzcmqxdjlzydqffndmtk/Build/Products/Debug/Chapters.app/Contents/Resources/eyed3/__init__.py", line 91, in <module>
from .utils.log import log
File "/Users/thomaspritchard/Library/Developer/Xcode/DerivedData/Chapters-ejrappchxzcmqxdjlzydqffndmtk/Build/Products/Debug/Chapters.app/Contents/Resources/eyed3/utils/__init__.py", line 33, in <module>
_mime_types = mimetypes.MimeTypes()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/mimetypes.py", line 66, in __init__
init()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/mimetypes.py", line 358, in init
db.read(file)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/mimetypes.py", line 202, in read
with open(filename) as fp:
IOError: [Errno 1] Operation not permitted: '/etc/apache2/mime.types'
Thanks in advance for your help, I'd really like to be able to distribute this application in the Mac App Store, but I've been banging my head against the wall on this issue.
EDIT: I thought that perhaps I could allow access to the file, /etc/apache2/mime.types through Temporary Exception Entitlements. With this updated entitlements plist, it exits with the same error:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
<string>/etc/apache2/mime.types</string>
</array>
</dict>
</plist>
Interestingly, if I use the absolute path /, instead of /etc/apache2/mime.types, it works, but there is no chance in hell Apple would allow that in the Mac App Store!
Found the issue. There seems to be an issue in OS X with setting entitlements for /etc/, when it's containing a symbolic link! I have changed it to /private/etc/ and it works now.
Thanks to this answer for helping me get to the answer.
EDIT: Apple Engineers have said this is an appropriate exception to use, and have closed my radar. If you have the same issue, reference Radar: #24011257.