Modern versions of macOS use a file system permission model that’s far more complex than the traditional BSD rwx model, and this post is my attempt at explaining that model. If you have a question about this, post it here on DevForums. Put your thread in the App & System Services > Core OS topic area and tag it with Files and Storage.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
On File System Permissions
Modern versions of macOS have four different file system permission mechanisms:
Traditional BSD permissions
Access control lists (ACLs)
App Sandbox
Mandatory access control (MAC)
The first two were introduced a long time ago and rarely trip folks up. The second two are newer, more complex, and specific to macOS, and thus are the source of some confusion. This post is my attempt to clear that up.
Error Codes
App Sandbox and the mandatory access control system are both implemented using macOS’s sandboxing infrastructure. When a file system operation fails, check the error to see whether it was blocked by this sandboxing infrastructure. If an operation was blocked by BSD permissions or ACLs, it fails with EACCES (Permission denied, 13). If it was blocked by something else, it’ll fail with EPERM (Operation not permitted, 1).
If you’re using Foundation’s FileManager, these error are both reported as Foundation errors, for example, the NSFileReadNoPermissionError error. To recover the underlying error, get the NSUnderlyingErrorKey property from the info dictionary.
App Sandbox
File system access within the App Sandbox is controlled by two factors. The first is the entitlements on the main executable. There are three relevant groups of entitlements:
The com.apple.security.app-sandbox entitlement enables the App Sandbox. This denies access to all file system locations except those on a built-in allowlist (things like /System) or within the app’s containers.
The various “standard location” entitlements extend the sandbox to include their corresponding locations.
The various “file access temporary exceptions” entitlements extend the sandbox to include the items listed in the entitlement.
Collectively this is known as your static sandbox.
The second factor is dynamic sandbox extensions. The system issues these extensions to your sandbox based on user behaviour. For example, if the user selects a file in the open panel, the system issues a sandbox extension to your process so that it can access that file. The type of extension is determined by the main executable’s entitlements:
com.apple.security.files.user-selected.read-only results in an extension that grants read-only access.
com.apple.security.files.user-selected.read-write results in an extension that grants read/write access.
Note There’s currently no way to get a dynamic sandbox extension that grants executable access. For all the gory details, see this post.
These dynamic sandbox extensions are tied to your process; they go away when your process terminates. To maintain persistent access to an item, use a security-scoped bookmark. See Accessing files from the macOS App Sandbox. To pass access between processes, use an implicit security scoped bookmark, that is, a bookmark that was created without an explicit security scope (no .withSecurityScope flag) and without disabling the implicit security scope (no .withoutImplicitSecurityScope flag)).
If you have access to a directory — regardless of whether that’s via an entitlement or a dynamic sandbox extension — then, in general, you have access to all items in the hierarchy rooted at that directory. This does not overrule the MAC protection discussed below. For example, if the user grants you access to ~/Library, that does not give you access to ~/Library/Mail because the latter is protected by MAC.
Finally, the discussion above is focused on a new sandbox, the thing you get when you launch a sandboxed app from the Finder. If a sandboxed process starts a child process, that child process inherits its sandbox from its parent. For information on what happens in that case, see the Note box in Enabling App Sandbox Inheritance.
IMPORTANT The child process inherits its parent process’s sandbox regardless of whether it has the com.apple.security.inherit entitlement. That entitlement exists primarily to act as a marker for App Review. App Review requires that all main executables have the com.apple.security.app-sandbox entitlement, and that entitlements starts a new sandbox by default. Thus, any helper tool inside your app needs the com.apple.security.inherit entitlement to trigger inheritance. However, if you’re not shipping on the Mac App Store you can leave off both of these entitlement and the helper process will inherit its parent’s sandbox just fine. The same applies if you run a built-in executable, like /bin/sh, as a child process.
When the App Sandbox blocks something, it typically generates a sandbox violation report. For information on how to view these reports, see Discovering and diagnosing App Sandbox violations.
To learn more about the App Sandbox, see the various links in App Sandbox Resources. For information about how to embed a helper tool in a sandboxed app, see Embedding a Command-Line Tool in a Sandboxed App.
Mandatory Access Control
Mandatory access control (MAC) has been a feature of macOS for many releases, but it’s become a lot more prominent since macOS 10.14. There are many flavours of MAC but the ones you’re most likely to encounter are:
Full Disk Access (macOS 10.14 and later)
Files and Folders (macOS 10.15 and later)
App container protection (macOS 14 and later)
App group container protection (macOS 15 and later)
Data Vaults (see below) and other internal techniques used by various macOS subsystems
Mandatory access control, as the name suggests, is mandatory; it’s not an opt-in like the App Sandbox. Rather, all processes on the system, including those running as root, as subject to MAC.
Data Vaults are not a third-party developer opportunity. See this post if you’re curious.
In the Full Disk Access and Files and Folders cases, users grant a program a MAC privilege using System Settings > Privacy & Security. Some MAC privileges are per user (Files and Folders) and some are system wide (Full Disk Access). If you’re not sure, run this simple test:
On a Mac with two users, log in as user A and enable the MAC privilege for a program.
Now log in as user B. Does the program have the privilege?
If a process tries to access an item restricted by MAC, the system may prompt the user to grant it access there and then. For example, if an app tries to access the desktop, you’ll see an alert like this:
“AAA” would like to access files in your Desktop folder.
[Don’t Allow] [OK]
To customise this message, set Files and Folders properties in your Info.plist.
This system only displays this alert once. It remembers the user’s initial choice and returns the same result thereafter. This relies on your code having a stable code signing identity. If your code is unsigned, or signed ad hoc (“Signed to Run Locally” in Xcode parlance), the system can’t tell that version N+1 of your code is the same as version N, and thus you’ll encounter excessive prompts.
Note For information about how that works, see TN3127 Inside Code Signing: Requirements.
The Files and Folders prompts only show up if the process is running in a GUI login session. If not, the operation is allowed or denied based on existing information. If there’s no existing information, the operation is denied by default.
For more information about app and app group container protection, see the links in Trusted Execution Resources. For more information about app groups in general, see App Groups: macOS vs iOS: Fight!
On managed systems the site admin can use the com.apple.TCC.configuration-profile-policy payload to assign MAC privileges.
For testing purposes you can reset parts of TCC using the tccutil command-line tool. For general information about that tool, see its man page. For a list of TCC service names, see the posts on this thread.
Note TCC stands for transparency, consent, and control. It’s the subsystem within macOS that manages most of the privileges visible in System Settings > Privacy & Security. TCC has no API surface, but you see its name in various places, including the above-mentioned configuration profile payload and command-line tool, and the name of its accompanying daemon, tccd.
While tccutil is an easy way to do basic TCC testing, the most reliable way to test TCC is in a VM, restoring to a fresh snapshot between each test. If you want to try this out, crib ideas from Testing a Notarised Product.
The MAC privilege mechanism is heavily dependent on the concept of responsible code. For example, if an app contains a helper tool and the helper tool triggers a MAC prompt, we want:
The app’s name and usage description to appear in the alert.
The user’s decision to be recorded for the whole app, not that specific helper tool.
That decision to show up in System Settings under the app’s name.
For this to work the system must be able to tell that the app is the responsible code for the helper tool. The system has various heuristics to determine this and it works reasonably well in most cases. However, it’s possible to break this link. I haven’t fully research this but my experience is that this most often breaks when the child process does something ‘odd’ to break the link, such as trying to daemonise itself.
If you’re building a launchd daemon or agent and you find that it’s not correctly attributed to your app, add the AssociatedBundleIdentifiers property to your launchd property list. See the launchd.plist man page for the details.
Scripting
MAC presents some serious challenges for scripting because scripts are run by interpreters and the system can’t distinguish file system operations done by the interpreter from those done by the script. For example, if you have a script that needs to manipulate files on your desktop, you wouldn’t want to give the interpreter that privilege because then any script could do that.
The easiest solution to this problem is to package your script as a standalone program that MAC can use for its tracking. This may be easy or hard depending on the specific scripting environment. For example, AppleScript makes it easy to export a script as a signed app, but that’s not true for shell scripts.
TCC and Main Executables
TCC expects its bundled clients — apps, app extensions, and so on — to use a native main executable. That is, it expects the CFBundleExecutable property to be the name of a Mach-O executable. If your product uses a script as its main executable, you’re likely to encounter TCC problems. To resolve these, switch to using a Mach-O executable. For an example of how you might do that, see this post.
Revision History
2024-11-08 Added info about app group container protection. Clarified that Data Vaults are just one example of the techniques used internally by macOS. Made other editorial changes.
2023-06-13 Replaced two obsolete links with links to shiny new official documentation: Accessing files from the macOS App Sandbox and Discovering and diagnosing App Sandbox violations. Added a short discussion of app container protection and a link to WWDC 2023 Session 10053 What’s new in privacy.
2023-04-07 Added a link to my post about executable permissions. Fixed a broken link.
2023-02-10 In TCC and Main Executables, added a link to my native trampoline code. Introduced the concept of an implicit security scoped bookmark. Introduced AssociatedBundleIdentifiers. Made other minor editorial changes.
2022-04-26 Added an explanation of the TCC initialism. Added a link to Viewing Sandbox Violation Reports. Added the TCC and Main Executables section. Made significant editorial changes.
2022-01-10 Added a discussion of the file system hierarchy.
2021-04-26 First posted.
Files and Storage
RSS for tagAsk questions about file systems and block storage.
Posts under Files and Storage tag
200 Posts
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
General:
Forums subtopic: App & System Services > Core OS
Forums tags: Files and Storage, Foundation, FSKit, File Provider, Finder Sync, Disk Arbitration, APFS
Foundation > Files and Data Persistence documentation
Low-level file system APIs are documented in UNIX manual pages
File System Programming Guide archived documentation
About Apple File System documentation
Apple File System Guide archived documentation
File system changes introduced in iOS 17 forums post
On File System Permissions forums post
Extended Attributes and Zip Archives forums post
Unpacking Apple Archives forums post
Creating new file systems:
FSKit framework documentation
File Provider framework documentation
Finder Sync framework documentation
App Extension Programming Guide > App Extension Types > Finder Sync archived documentation
Managing storage:
Disk Arbitration framework documentation
Disk Arbitration Programming Guide archived documentation
Mass Storage Device Driver Programming Guide archived documentation
Device File Access Guide for Storage Devices archived documentation
BlockStorageDeviceDriverKit framework documentation
Volume format references:
Apple File System Reference
TN1150 HFS Plus Volume Format
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
What’s the recommended way to recursively walk through a directory tree using File Coordination? From what I understand, coordinating a read of a directory only performs a “shallow” lock; this would mean that I’d need to implement the recursive walk myself rather than use FileManager.enumerator(at:includingPropertiesForKeys:options:errorHandler:) plus a single NSFileCoordinator.coordinate(with:queue:byAccessor:) call.
I’m trying to extract information from all files of a particular type, so I think using NSFileCoordinator.ReadingOptions.immediatelyAvailableMetadataOnly on each file before acquiring a full read lock on it (if it’s the right file type) would make sense. Am I on the right track?
Has any one come across file corruption issues with tvOS 26?
I am tracking an issue where files in my app's NSCachesDirectory are getting corrupted (not deleted) when my app is in the background. The issue is sporadic and very hard to reproduce, but is definitely a new issue with 26.
Hi everyone,
I’m running into an issue with PHPickerFilter when using PHPickerViewController.
When I configure the picker with a .videos and .livePhotos filter, it seems to work correctly in the Photos tab. However, when I switch to the Collections tab, the filter doesn’t always apply — users can still see and select static image assets in certain collections (e.g. from one of the People & Pets sections).
Here’s a simplified snippet of my setup:
var configuration = PHPickerConfiguration(photoLibrary: .shared())
configuration.selectionLimit = 1
var filters = [PHPickerFilter]()
filters.append(.videos)
filters.append(.livePhotos)
configuration.filter = PHPickerFilter.any(of: filters)
configuration.preferredAssetRepresentationMode = .current
let picker = PHPickerViewController(configuration: configuration)
picker.delegate = self
present(picker, animated: true)
Expected behavior:
The picker should consistently respect the filter across both Photos and Collections tabs, only showing assets that match the filter.
Actual behavior:
The filter seems to apply correctly in the Photos tab, but in the Collections tab, other asset types are still visible/selectable.
Has anyone else encountered this behavior? Is this expected or a known issue, or am I missing something in the configuration?
Thanks in advance!
Topic:
Media Technologies
SubTopic:
Photos & Camera
Tags:
Files and Storage
Media Library
Photos and Imaging
PhotoKit
Title's basically the whole question. I'm writing an SMS/Call Reporting extension (ILClassificationUIExtensionViewController). My goal is to keep everything on device and not use the built-in SMS/network reporting. To that end, I'm trying to write to a file in the App Group container from the classificationResponse handler. I'm getting Error 513: "You don’t have permission to save the file “classification_log.txt” in the [app group container folder]".
I haven't been able to find much in the documentation on whether this behavior is enforced in classificationResponse handlers. Apple's barebones page on "SMS and Call Spam Reporting"[1] says "the system always deletes your extension’s container after your extension terminates," but that doesn't answer whether you can write to an App Group container. I haven't been able to find that answer elsewhere. ChatGPT and Gemini are both very sure it can be done. Any thoughts?
[1] https://developer.apple.com/documentation/identitylookup/sms-and-call-spam-reporting
Topic:
App & System Services
SubTopic:
Core OS
Tags:
SMS and Call Reporting
Files and Storage
Security
Hello, appreciate any help here.
Objective: perform a scoped write to a removable block device (using low-level system frameworks in C).
Issue: launchd-run privileged helper (as root) denied permission to open block device. Manual 'sudo ./helper' call succeeds, however.
Importantly: the entire process works flawlessly if the main app is granted Full Disk Access in Privacy & Security. However, this should be completely unnecessary for this objective, as scoped access should be sufficient, and FDA is in fact not required for other apps which perform this task.
Architecture and flow:
Main GUI process collects ISO path and target removable device path (queried via IOKit).
Main GUI process installs a Privileged Helper via SMJobBless.
The Privileged Helper is started on demand by launchd as root (UID 0, EUID 0).
Main GUI process communicates selected ISO and device paths to Privileged Helper via XPC.
Privileged Helper conducts security and sanity checks, unmounts volumes from target device via DiskArbitration.
Privileged Helper obtains file handles to ISO and target block device (e.g.: "/dev/disk4").
Privileged Helper performs a byte-by-byte write to the target block device.
Problematic area:
Simplified example using C syscalls (via Zig):
const path = "/dev/disk5";
// Note that even with readonly flag this fails
const fd = c.open(path, c.O_RDONLY, @as(c_uint, 0));
defer _ = c.close(fd);
if (fd < 0) {
const err_num = c.__error().*;
const err_str = c.strerror(err_num);
log("open() failed with errno {}: {s}", .{ err_num, err_str });
}
Output (when run by launchd - UID 0, EUID 0, domain: system):
open() failed with errno 1: Operation not permitted
Simplified example with Zig open interface:
const directory = try std.fs.openDirAbsolute(deviceDir, .{ .no_follow = true });
const device = try directory.openFile("/dev/disk5", .{ .mode = .read_write, .lock = .exclusive });
errdefer device.close();
Output (when run by launchd - UID 0, EUID 0, domain: system):
Error: error.AccessDenied
Running the same examples by manually launching the binary with a test argument succeeds:
sudo ./helper "/dev/disk5"
...
Notable points:
Both Main GUI process and the Privileged Helper binary are codesigned (via codesign ...).
Privileged Helper has both Info.plist and Launchd.plist symbols exported into its binary.
Privileged Helper has no codesign flags (e.g.: for hardened runtime or others): CodeDirectory v=20400 size=8130 flags=0x0(none) hashes=248+2 location=embedded
Output of sudo launchctl print system/<helper-bundle-id> shows nothing of interest to indicate any security restrictions.
Appreciate any advice here!
Topic:
App & System Services
SubTopic:
Core OS
Tags:
Background Tasks
Disk Arbitration
Files and Storage
Hi,
My Mac app allows a customer to drag and drop a file package onto a SwiftUI view. I can't seem to find a way to successfully call .startAccessingSecurityScopedResource() with the file/dir that was dropped into the view.
I put together a simple test app. Here is the code:
struct ContentView: View {
@State var isTargetedForDrop: Bool = false
var body: some View {
VStack {
Image(systemName: "globe")
.imageScale(.large)
.foregroundStyle(.tint)
Text("Hello, world!")
Rectangle()
.stroke(Color.gray)
.onDrop(of: [UTType.fileURL], isTargeted: $isTargetedForDrop) { providers in
guard let provider = providers.first(where: { $0.hasItemConformingToTypeIdentifier(UTType.fileURL.identifier) }) else {
return false
}
provider.loadItem(forTypeIdentifier: UTType.fileURL.identifier, options: nil) { item, error in
if let error = error {
print("Drop load error: \(error)")
return
}
if let url = item as? URL {
print("Dropped file URL: \(url)")
} else if let data = item as? Data,
let url = URL(dataRepresentation: data, relativeTo: nil) {
print("Dropped file URL (from data): \(url)")
let access = url.startAccessingSecurityScopedResource()
if access {
print("Successfully accessed file at URL: \(url)")
} else {
print("Failed to access file at URL: \(url)")
}
url.stopAccessingSecurityScopedResource()
} else {
print("Unsupported dropped item: \(String(describing: item))")
}
}
return true
}
}
.padding()
}
}
When I drop a file package into this view I see, "Failed to access file at URL: <the_full_file_path>"
I'm running Xcode 26 on macOS 26.
With the RC version of macOS 26, an issue persists when you try to create a bookmark with security scope for the root folder "/". This leads to an error "The file couldn’t be opened.". However, you can create bookmark for /Applications, /System, /Users...
This is quite annoying for one of my app because a user can create a cartography of his disk usage, and the access to the root folder "/" is the only way to do so!
Is there a workaround?
PS: reported the issue with ID FB20186406
let openPanel = NSOpenPanel()
openPanel.canChooseDirectories = true
openPanel.canChooseFiles = false
openPanel.beginSheetModal(for: self.view.window!) { (result) in
guard result == .OK, let folderURL = openPanel.url else {
return
}
openPanel.close()
do {
let data = try folderURL.bookmarkData(options: .withSecurityScope, includingResourceValuesForKeys: nil, relativeTo: nil)
print("Bookmark data was created for \(folderURL.path)")
} catch (let error) {
print("Error creating bookmark for \(folderURL.path), with error: \(error.localizedDescription)")
}
}
When I drag and drop a file with flag "shouldAttemptToOpenInPlace: true", I was able to access the original file name in macOS 15.
After upgrading to macOS 26, I can't access the original file name anymore. Instead, I got some useless file name such as ".com.apple.Foundation.NSItemProvider.gKZ91u.tmp".
The app no longer works with these tmp filenames because it needs the orignal file name to do the file transfer. (Btw, this is a WinSCP like app on Mac platform)
Could you please check and fix this issue? Thank you.
FileRepresentation(contentType: .item, shouldAttemptToOpenInPlace: true)
I'm debugging the following kernel panic to do with my custom filesystem KEXT:
panic(cpu 0 caller 0xfffffe004cae3e24): [kalloc.type.var4.128]: element modified after free (off:96, val:0x00000000ffffffff, sz:128, ptr:0xfffffe2e7c639600)
My reading of this is that somewhere in my KEXT I'm holding a reference 0xfffffe2e7c639600 to a 128 byte zone that wrote 0x00000000ffffffff at offset 96 after that particular chunk of memory had been released and zeroed out by the kernel.
The panic itself is emitted when my KEXT requests the memory chunk that's been tempered with via the following set of calls.
zalloc_uaf_panic()
__abortlike
static void
zalloc_uaf_panic(zone_t z, uintptr_t elem, size_t size)
{
...
(panic)("[%s%s]: element modified after free "
"(off:%d, val:0x%016lx, sz:%d, ptr:%p)%s",
zone_heap_name(z), zone_name(z),
first_offs, first_bits, esize, (void *)elem, buf);
...
}
zalloc_validate_element()
static void
zalloc_validate_element(
zone_t zone,
vm_offset_t elem,
vm_size_t size,
zalloc_flags_t flags)
{
...
if (memcmp_zero_ptr_aligned((void *)elem, size)) {
zalloc_uaf_panic(zone, elem, size);
}
...
}
The panic is triggered if memcmp_zero_ptr_aligned(), which is implemented in assembly, detects that an n-sized chunk of memory has been written after being free'd.
/* memcmp_zero_ptr_aligned() checks string s of n bytes contains all zeros.
* Address and size of the string s must be pointer-aligned.
* Return 0 if true, 1 otherwise. Also return 0 if n is 0.
*/
extern int
memcmp_zero_ptr_aligned(const void *s, size_t n);
Normally, KASAN would be resorted to to aid with that.
The KDK README states that KASAN kernels won't load on Apple Silicon.
Attempting to follow the instructions given in the README for Intel-based machines does result in a failure for me on Apple Silicon.
I stumbled on the Pishi project.
But the custom boot kernel collection that gets created doesn't have any of the KEXTs that were specified to kmutil(8) via the --explicit-only flag, so it can't be instrumented in Ghidra.
Which is confirmed as well by running:
% kmutil inspect -B boot.kc.kasan
boot kernel collection at /Users/user/boot.kc.kasan
(AEB8F757-E770-8195-458D-B87CADCAB062):
Extension Information:
I'd appreciate any pointers on how to tackle UAFs in kernel space.
For years, my app has been receiving XLSX files from other apps using the share command.
For example, in an email, I use the share command on an xlsx attachment and send it to my app.
From my app, I go to the Documents/Inbox folder and find the file.
This mechanism has broken! And I'm not talking about an app compiled with XCode26, but simply installing my app, still compiled with XCode16, on iPadOS26.
It seems that the operating system no longer puts files in the Inbox. Is this true?
Hi,
I just released a new version of an app that was transferred from another developer account.
The previous version of this app used the App Groups feature to store some important data, and I would like to retrieve that data.
In the new version, I’m using the same bundle identifier and the same App Group ID (which has already been deleted from the original developer account). I also added the App Groups entitlement in the project settings and set the same App Group ID. However, I still cannot access the data in the App Group.
From the documentation and issues I’ve found, it seems that an app should still have permission to access the same App Group after being transferred.
Did I miss something?
Thanks!
Topic:
Code Signing
SubTopic:
Entitlements
Tags:
Files and Storage
iOS
Entitlements
Provisioning Profiles
It's quite common for app bundles to be distributed in .zip files, and to be stored on-disk as filesystem-compressed files. However, having them both appears to be an edge case that's broken for at least two major releases! (FB19048357, FB19329524)
I'd expect a simple ditto -x -k appbundle.zip ~/Applications (-x: extract, -k: work on a zip file) to work. Instead it spits out countless errors and leaves 0 Byte files in the aftermath 😭
Please fix.
How do I get the FileManager in SwiftUI to read information about the apps in the Applications folder. Lots of apps do it, Alfred, Raycast. It's not something that is unheard of, and yet I cannot for the life of me, using every kind of guide on the internet figure out how to achieve this. Please somebody help, this is legitimately affecting my mental health.
Hello! Some colleagues and work on Jujutsu, a version control system compatible with git, and I think we've uncovered a potential lock contention bug in either APFS or the Darwin kernel. There are four contributing factors to us thinking this is related to APFS or the Kernel:
jj's testsuite uses nextest, a test runner for Rust that spawns each individual test as a separate process.
The testsuite slowed down by a factor of ~5x on macOS after jj started using fsync. The slowdown increases as additional cores are allocated.
A similar slowdown did not occur on ext4.
Similar performance issues were reported in the past by a former Mercurial maintainer: https://gregoryszorc.com/blog/2018/10/29/global-kernel-locks-in-apfs/.
My friend and colleague André has measured the test suite on an M3 Ultra with both a ramdisk and a traditional SSD and produced this graph:
(The most thorough writeup is the discussion on this pull request.)
I know I should file a feedback/bug report, but before I do, I'm struggling with profiling and finding kernel/APFS frames in my profiles so that I can properly attribute the cause of this apparent lock contention. Naively, I ran xctrace record --template 'Time Profiler' --output output.trace --launch /Users/dbarsky/.cargo/bin/cargo-nextest nextest run, and while that detected all processes spawned by nextest, it didn't record all processes as part of the same inspectable profile and didn't really show any frames from the kernel/APFS—I had to select individual processes. So I don't waste people's time and so that I can point a frame/smoking gun in the right system, how can I can use instruments to profile where the kernel and/or APFS are spending its time? Do I need to disable SIP?
I'm having a problem on macOS 26 that has not happened on previous macOS versions. When I call
guard url.startAccessingSecurityScopedResource() else { return }
try url.bookmarkData(options: [.withSecurityScope])
with url being "file:///", I get an error
Error Domain=NSCocoaErrorDomain Code=256 "File descriptor doesn't match the real path."
Given that Google returns 0 results on this error, I suppose this is a macOS 26 novelty. (The bookmark data created before upgrading to 26 resolve well).
Does anyone already met this or have an idea on how to get around it? The app is a file manager, so having bookmarked access to "/" is crucial.
I would like to understand the recommended App Store–compliant method for uninstalling applications, particularly in cases where certain apps are owned by root rather than the user.
Currently, since root-owned apps cannot be uninstalled, I display the error message: 'App name couldn’t be moved to the Trash because you don’t have permission to access it. please run sudo chown -R $user /application/appname and try again'
I then instruct users to change the ownership of the app and try again, but this approach does not appear to align with App Store policies.
I'm using UIDocumentPickerViewController to open a url. Works fine in debug mode but version on the App Store is failing.
Code to create the document picker is like:
NSArray *theTypes = [UTType typesWithTag:@"docxtensionhere" tagClass:UTTagClassFilenameExtension conformingToType:nil];
UIDocumentPickerViewController *documentPicker = [[UIDocumentPickerViewController alloc]initForOpeningContentTypes:theTypes];
documentPicker.delegate = self;
[self presentViewController:documentPicker animated:YES completion:nil];
So in debug mode this is all gravy. -documentPicker:didPickDocumentsAtURLs: passes back a URL and I can read the file.
In release mode I get a URL but my app is denied access to read the file. After inspecting some logging it appears the sandbox is not granting my app permission.
error Domain=NSCocoaErrorDomain Code=257 "The file “Filename.fileextensionhere” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/private/var/mobile/Library/Mobile Documents/comappleCloudDocs/Filename.fileextensionhere, NSUnderlyingError=0x2834c9da0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}
--
If I'm doing something wrong with UIDocumentPickerViewController it is a real shame that permission is not being denied in Debug mode, as devs are more likely to catch in prior to release. Anyone know where I'm going wrong and if not have a workaround? Thanks in advance.
I have created a sample app which read/write from a network file. When the file was attempted to open (using open Linux API), connection to network file was lost. The thread which was stuck on the open method, returns after a long time.
It was observed that for macOS, the maximum return time of the thread was around 10 mins, whereas in Windows and Linux, the maximum timeout was 60 sec and 90 sec.
macOS has a very large timeout before returning the thread with a network failure error. Is this by designed and expected? With a large timeout as 10mins, it's difficult to respond swiftly back to the user.
Hi,
The app that I'm developing requires data transfer between iOS device and external device through usb-c cable connection. So I'm trying to copy and paste the file between iOS and external storage device automactically. I've tried using UIDocuementPickerController with bookmark, which gives the url path of connected external storage after user selection for the first selection, but it could not be used directly without user interaction afterwards. Is it possible to use the storage url path automatically after user selection for the first time? How do I achieve that? Thanks in advance
I have an iOS app that allows user to select a folder (from local Files).
User is seemingly capable selecting the "On My iPhone" folder (the "Open" button is enabled, clickable and when it is tapped the app gets the relevant URL) although there's nothing in that folder apart from ".trash" item. Is selecting that folder not supported? If not why is the "Open" button enabled on that level to begin with?