After lots of playing and reading of obscure documentation, it looks like Lion creates a duplicate library in the Containers folder so even a sandboxed app with no read or write file access still has access to its own Application Support, Caches, and Preferences folders, among others. The file access setting refers to files opened through standard appkit api panels; accessing arbitrary files without user interaction is still blocked (only files users open with these apis even appear in your sandboxed world while everything else appears to not exist).
I also found that Allow Incoming Connections is the one that blocks port binding and general server type behavior. The outgoing covers general client behavior like requesting and receiving data responses. Hopefully this will help someone else as I can't point to any easy docs to refer to as this info was gather piecemeal from official and unofficial docs and through trial and error. On Aug 18, 2011, at 10:08 AM, Sean McBride wrote: > On Wed, 17 Aug 2011 03:17:30 -0600, Michael Vannorsdel said: > >> Apologies if this has been covered in the past but my searches did not >> turn up anything as specific as I'm looking for. > > Are you talking about on Lion? If so, there hasn't been much discussion of > this new feature here yet. > >> Is there a way to refine sandbox entitlements to allow read/write access >> to specific files and directories instead of just all or none? For >> instance, only allowing RW to Caches and Preferences but nowhere else. > > com.apple.security.temporary-exception.files.absolute-path.read-write > > But "temporary-exception" suggests you should file bugs for better solutions. > >> And on a side question, does outgoing network entitlement mean the >> binding of a port for services or does it mean any outbound data such as >> an http request? > > I believe it allows any connections. I haven't seen a way to permit access > to only some hosts or only some ports. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
