Modern versions of macOS use a file system permission model that’s far more complex than the traditional BSD rwx model, and this post is my attempt at explaining that model. If you have a question about this, post it here on DevForums. Put your thread in the App & System Services > Core OS topic area and tag it with Files and Storage.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
On File System Permissions
Modern versions of macOS have four different file system permission mechanisms:
Traditional BSD permissions
Access control lists (ACLs)
App Sandbox
Mandatory access control (MAC)
The first two were introduced a long time ago and rarely trip folks up. The second two are newer, more complex, and specific to macOS, and thus are the source of some confusion. This post is my attempt to clear that up.
Error Codes
App Sandbox and the mandatory access control system are both implemented using macOS’s sandboxing infrastructure. When a file system operation fails, check the error to see whether it was blocked by this sandboxing infrastructure. If an operation was blocked by BSD permissions or ACLs, it fails with EACCES (Permission denied, 13). If it was blocked by something else, it’ll fail with EPERM (Operation not permitted, 1).
If you’re using Foundation’s FileManager, these error are both reported as Foundation errors, for example, the NSFileReadNoPermissionError error. To recover the underlying error, get the NSUnderlyingErrorKey property from the info dictionary.
App Sandbox
File system access within the App Sandbox is controlled by two factors. The first is the entitlements on the main executable. There are three relevant groups of entitlements:
The com.apple.security.app-sandbox entitlement enables the App Sandbox. This denies access to all file system locations except those on a built-in allowlist (things like /System) or within the app’s containers.
The various “standard location” entitlements extend the sandbox to include their corresponding locations.
The various “file access temporary exceptions” entitlements extend the sandbox to include the items listed in the entitlement.
Collectively this is known as your static sandbox.
The second factor is dynamic sandbox extensions. The system issues these extensions to your sandbox based on user behaviour. For example, if the user selects a file in the open panel, the system issues a sandbox extension to your process so that it can access that file. The type of extension is determined by the main executable’s entitlements:
com.apple.security.files.user-selected.read-only results in an extension that grants read-only access.
com.apple.security.files.user-selected.read-write results in an extension that grants read/write access.
Note There’s currently no way to get a dynamic sandbox extension that grants executable access. For all the gory details, see this post.
These dynamic sandbox extensions are tied to your process; they go away when your process terminates. To maintain persistent access to an item, use a security-scoped bookmark. See Accessing files from the macOS App Sandbox. To pass access between processes, use an implicit security scoped bookmark, that is, a bookmark that was created without an explicit security scope (no .withSecurityScope flag) and without disabling the implicit security scope (no .withoutImplicitSecurityScope flag)).
If you have access to a directory — regardless of whether that’s via an entitlement or a dynamic sandbox extension — then, in general, you have access to all items in the hierarchy rooted at that directory. This does not overrule the MAC protection discussed below. For example, if the user grants you access to ~/Library, that does not give you access to ~/Library/Mail because the latter is protected by MAC.
Finally, the discussion above is focused on a new sandbox, the thing you get when you launch a sandboxed app from the Finder. If a sandboxed process starts a child process, that child process inherits its sandbox from its parent. For information on what happens in that case, see the Note box in Enabling App Sandbox Inheritance.
IMPORTANT The child process inherits its parent process’s sandbox regardless of whether it has the com.apple.security.inherit entitlement. That entitlement exists primarily to act as a marker for App Review. App Review requires that all main executables have the com.apple.security.app-sandbox entitlement, and that entitlements starts a new sandbox by default. Thus, any helper tool inside your app needs the com.apple.security.inherit entitlement to trigger inheritance. However, if you’re not shipping on the Mac App Store you can leave off both of these entitlement and the helper process will inherit its parent’s sandbox just fine. The same applies if you run a built-in executable, like /bin/sh, as a child process.
When the App Sandbox blocks something, it typically generates a sandbox violation report. For information on how to view these reports, see Discovering and diagnosing App Sandbox violations.
To learn more about the App Sandbox, see the various links in App Sandbox Resources. For information about how to embed a helper tool in a sandboxed app, see Embedding a Command-Line Tool in a Sandboxed App.
Mandatory Access Control
Mandatory access control (MAC) has been a feature of macOS for many releases, but it’s become a lot more prominent since macOS 10.14. There are many flavours of MAC but the ones you’re most likely to encounter are:
Full Disk Access (macOS 10.14 and later)
Files and Folders (macOS 10.15 and later)
App container protection (macOS 14 and later)
App group container protection (macOS 15 and later)
Data Vaults (see below) and other internal techniques used by various macOS subsystems
Mandatory access control, as the name suggests, is mandatory; it’s not an opt-in like the App Sandbox. Rather, all processes on the system, including those running as root, as subject to MAC.
Data Vaults are not a third-party developer opportunity. See this post if you’re curious.
In the Full Disk Access and Files and Folders cases, users grant a program a MAC privilege using System Settings > Privacy & Security. Some MAC privileges are per user (Files and Folders) and some are system wide (Full Disk Access). If you’re not sure, run this simple test:
On a Mac with two users, log in as user A and enable the MAC privilege for a program.
Now log in as user B. Does the program have the privilege?
If a process tries to access an item restricted by MAC, the system may prompt the user to grant it access there and then. For example, if an app tries to access the desktop, you’ll see an alert like this:
“AAA” would like to access files in your Desktop folder.
[Don’t Allow] [OK]
To customise this message, set Files and Folders properties in your Info.plist.
This system only displays this alert once. It remembers the user’s initial choice and returns the same result thereafter. This relies on your code having a stable code signing identity. If your code is unsigned, or signed ad hoc (“Signed to Run Locally” in Xcode parlance), the system can’t tell that version N+1 of your code is the same as version N, and thus you’ll encounter excessive prompts.
Note For information about how that works, see TN3127 Inside Code Signing: Requirements.
The Files and Folders prompts only show up if the process is running in a GUI login session. If not, the operation is allowed or denied based on existing information. If there’s no existing information, the operation is denied by default.
For more information about app and app group container protection, see the links in Trusted Execution Resources. For more information about app groups in general, see App Groups: macOS vs iOS: Fight!
On managed systems the site admin can use the com.apple.TCC.configuration-profile-policy payload to assign MAC privileges.
For testing purposes you can reset parts of TCC using the tccutil command-line tool. For general information about that tool, see its man page. For a list of TCC service names, see the posts on this thread.
Note TCC stands for transparency, consent, and control. It’s the subsystem within macOS that manages most of the privileges visible in System Settings > Privacy & Security. TCC has no API surface, but you see its name in various places, including the above-mentioned configuration profile payload and command-line tool, and the name of its accompanying daemon, tccd.
While tccutil is an easy way to do basic TCC testing, the most reliable way to test TCC is in a VM, restoring to a fresh snapshot between each test. If you want to try this out, crib ideas from Testing a Notarised Product.
The MAC privilege mechanism is heavily dependent on the concept of responsible code. For example, if an app contains a helper tool and the helper tool triggers a MAC prompt, we want:
The app’s name and usage description to appear in the alert.
The user’s decision to be recorded for the whole app, not that specific helper tool.
That decision to show up in System Settings under the app’s name.
For this to work the system must be able to tell that the app is the responsible code for the helper tool. The system has various heuristics to determine this and it works reasonably well in most cases. However, it’s possible to break this link. I haven’t fully research this but my experience is that this most often breaks when the child process does something ‘odd’ to break the link, such as trying to daemonise itself.
If you’re building a launchd daemon or agent and you find that it’s not correctly attributed to your app, add the AssociatedBundleIdentifiers property to your launchd property list. See the launchd.plist man page for the details.
Scripting
MAC presents some serious challenges for scripting because scripts are run by interpreters and the system can’t distinguish file system operations done by the interpreter from those done by the script. For example, if you have a script that needs to manipulate files on your desktop, you wouldn’t want to give the interpreter that privilege because then any script could do that.
The easiest solution to this problem is to package your script as a standalone program that MAC can use for its tracking. This may be easy or hard depending on the specific scripting environment. For example, AppleScript makes it easy to export a script as a signed app, but that’s not true for shell scripts.
TCC and Main Executables
TCC expects its bundled clients — apps, app extensions, and so on — to use a native main executable. That is, it expects the CFBundleExecutable property to be the name of a Mach-O executable. If your product uses a script as its main executable, you’re likely to encounter TCC problems. To resolve these, switch to using a Mach-O executable. For an example of how you might do that, see this post.
Revision History
2024-11-08 Added info about app group container protection. Clarified that Data Vaults are just one example of the techniques used internally by macOS. Made other editorial changes.
2023-06-13 Replaced two obsolete links with links to shiny new official documentation: Accessing files from the macOS App Sandbox and Discovering and diagnosing App Sandbox violations. Added a short discussion of app container protection and a link to WWDC 2023 Session 10053 What’s new in privacy.
2023-04-07 Added a link to my post about executable permissions. Fixed a broken link.
2023-02-10 In TCC and Main Executables, added a link to my native trampoline code. Introduced the concept of an implicit security scoped bookmark. Introduced AssociatedBundleIdentifiers. Made other minor editorial changes.
2022-04-26 Added an explanation of the TCC initialism. Added a link to Viewing Sandbox Violation Reports. Added the TCC and Main Executables section. Made significant editorial changes.
2022-01-10 Added a discussion of the file system hierarchy.
2021-04-26 First posted.
Files and Storage
RSS for tagAsk questions about file systems and block storage.
Posts under Files and Storage tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
General:
Forums subtopic: App & System Services > Core OS
Forums tags: Files and Storage, Foundation, FSKit, File Provider, Finder Sync, Disk Arbitration, APFS
Foundation > Files and Data Persistence documentation
Low-level file system APIs are documented in UNIX manual pages
File System Programming Guide archived documentation
About Apple File System documentation
Apple File System Guide archived documentation
File system changes introduced in iOS 17 forums post
On File System Permissions forums post
Extended Attributes and Zip Archives forums post
Unpacking Apple Archives forums post
Creating new file systems:
FSKit framework documentation
File Provider framework documentation
Finder Sync framework documentation
App Extension Programming Guide > App Extension Types > Finder Sync archived documentation
Managing storage:
Disk Arbitration framework documentation
Disk Arbitration Programming Guide archived documentation
Mass Storage Device Driver Programming Guide archived documentation
Device File Access Guide for Storage Devices archived documentation
BlockStorageDeviceDriverKit framework documentation
Volume format references:
Apple File System Reference
TN1150 HFS Plus Volume Format
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hi there,
I have discovered that the behavior of file copying has changed starting from iOS 18.4.
When using FileManager.copyItem(atPath:toPath:) to copy a directory specified as an argument, whether or not there is a trailing slash ('/') affects whether the copy process works correctly.
The same process operates as expected in the iOS 18.3.1 Simulator.
Is this the correct behavior, or could it be a bug?
The application's build environment is Xcode 16.2.
Below is an example of the code. In practice, the file copying is performed within the application's folder.
// Both iOS 18.3.1 and iOS 18.4 successfully complete the copy process.
FileManager.default.copyItem(atPath: "/path/from/dirA", toPath: "/path/to/dirB")
FileManager.default.copyItem(atPath: "/path/from/dirA/", toPath: "/path/to/dirB/")
// iOS 18.3.1 successfully complete the copy process, but iOS 18.4 fails.
FileManager.default.copyItem(atPath: "/path/from/dirA/", toPath: "/path/to/dirB")
I hope this helps Apple engineers and other developers experiencing the same issue. Feedback or additional insights would be appreciated.
Question:
What is the standard, most reliable way to manage temporary files associated with a URLSessionDownloadTask that has been terminated abnormally due to a network error or other issues?
Details
Hello,
I'm currently developing a feature to download multiple files concurrently on iOS using URLSessionDownloadTask, and I have a question regarding the lifecycle of the temporary files created during this process.
As I understand it, URLSessionDownloadTask stores incoming data in a temporary file within the tmp directory, typically with a name like CFNetworkDownload_*.tmp.
In my testing, temporary files are managed correctly in the normal scenario. For instance, when I call the cancel() method on an active downloadTask and then release all references to it, the corresponding temporary file is automatically cleaned up from the tmp directory shortly after.
However, the problem occurs when a download is interrupted abnormally due to external factors, such as a lost network connection. In this situation, the urlSession(_:task:didCompleteWithError:) delegate method is called, but the associated temporary file is not deleted and remains in the tmp directory.
I've observed a particularly interesting behavior related to this. Immediately after the error occurs, if I check my app's storage usage in the iOS Settings app, the data size appears to have decreased momentarily. However, the tmp file has not actually been deleted, and after a short while, the storage usage is recalculated to include the size of this orphaned temporary file.
Since my app does not support resuming interrupted downloads, these leftover files become orphaned and unnecessarily consume storage. Therefore, I want to ensure they are all reliably deleted.
With this context, I'd like to ask the community:
What is the standard, most reliable way to manage temporary files associated with a URLSessionDownloadTask that has been terminated abnormally due to a network error or other issues?
I am wondering if there is an official guide or a framework-level API to handle these orphaned files.
I would appreciate any advice from those with experience in this area. Thank you.
A user of my app reported that when trying to remove a file it always fails with the error "file couldn't be removed because you don't have permission to access it (Cocoa Error Domain 513)". After some testing, we found out that it's caused by trying to delete non-empty directories.
I'm using FileManager.removeItem(atPath:) which has worked fine for many years, but it seems that with their particular NAS, it doesn't work.
I could work around this by checking if the file is a directory, and if it is, enumerating the directory and remove each contained file before removing the directory itself. But shouldn't this already be taken care of? In the source code of FileManager I see that for Darwin platforms it calls
removefile(pathPtr, state, removefile_flags_t(REMOVEFILE_RECURSIVE))
so it seems that it should already work. Is the REMOVEFILE_RECURSIVE flag perhaps ignored by the device? But then, is the misleading "you don't have permission to access the file" error thrown by the device or by macOS?
For the FileManager source code, see https://github.com/swiftlang/swift-foundation/blob/1d5d70997410fc8b7700c8648b10d6fc28194202/Sources/FoundationEssentials/FileManager/FileOperations.swift#L444
I attempted to mount a WebDAV server on macOS using Finder. The mount was successful when using the server's IPv4 address or hostname, but failed when using its IPv6 address.
I also tested the mount using the NetFS framework API via NetFSMountURLSync. The results were consistent: the mount succeeded with the IPv4 address and hostname but failed when using the IPv6 address.
While observing live logs via Console.app, I saw that the process NetAuthSysAgent produced the following error during the IPv6 mount attempt: GetServerInfo failed with error 5
My app for framing and arranging pictures from Photos on visionOS allows users to write the arrangements they create to .reality files using RealityKit entity.write(to:) that they then display to customers on their websites. This works perfectly on visionOS 2, but fails with a fatal protection error on visionOS 26 beta 1 and beta 2 when write(to:) attempts to write to its internal cache:
2025-06-29 14:03:04.688 Failed to write reality file Error Domain=RERealityFileWriterErrorDomain Code=10 "Could not create parent folders for file path /var/mobile/Containers/Data/Application/81E1DDC4-331F-425D-919B-3AB87390479A/Library/Caches/com.GeorgePurvis.Photography.FrameItVision/RealityFileBundleZippingTmp_A049685F-C9B2-479B-890D-CF43D13B60E9/41453BC9-26CB-46C5-ADBE-C0A50253EC27."
UserInfo={NSLocalizedDescription=Could not create parent folders for file path /var/mobile/Containers/Data/Application/81E1DDC4-331F-425D-919B-3AB87390479A/Library/Caches/com.GeorgePurvis.Photography.FrameItVision/RealityFileBundleZippingTmp_A049685F-C9B2-479B-890D-CF43D13B60E9/41453BC9-26CB-46C5-ADBE-C0A50253EC27.}
Has anyone else encountered this problem? Do you have a workaround? Have you filed a feedback?
ChatGPT analysis of the error and my code reports:
Why there is no workaround
• entity.write(to:) is a black box — you cannot override where it builds its staging bundle
• it always tries to create those random folders itself
• you cannot supply a parent or working directory to RealityFileWriter
• so if the system fails to create that folder, you cannot patch it
👉 This is why you see a fatal error with no recovery.
See also feedbacks: FB18494954, FB18036627, FB18063766
Apple claims you can share files to the Xcode simulator.
The first step works (share-to-simulator context menu exists). But when you execute this nothing happens.
This contradicts the apple documentation which states:
a Simulator opens the Files app, and lets you select where to save the files.
If I instead try to drag and drop between the Mac and the simulator's file manger I receive the message:
Simulator device failed to open file:///Users/me/Downloads/Exchange/ExampleExport.json.
So what is the trick? Is there a missing authorisation that I need to set in the simulator's settings for example?
MacOS: 15.5
Xcode: 16.4 (16F6)
... the latest stable Apple versions.
Dear Apple Support,
We are experiencing a critical issue affecting some of our macOS users during application updates via DMG.
In certain cases, when users attempt to update the app by dragging it from the mounted DMG to the /Applications folder (replacing the old version), the application becomes corrupted. Users receive an error indicating that the app cannot be opened.
On retry, they are met with an error stating that the app cannot be overwritten.
Upon inspection, the resulting application bundle is incomplete and contains only the following structure:
.
└── Contents
└── CodeResources
The only known workaround is to completely remove the existing app from /Applications before copying the new version — this resolves the issue consistently.
We’ve observed this issue in the field with increasing frequency, which negatively impacts user trust. We also found similar reports from other developers (e.g., https://github.com/warpdotdev/Warp/issues/5492), suggesting a broader issue.
Questions:
What could be the underlying cause of this behavior on macOS (e.g., MDM, security policies, filesystem behavior)?
Are there any recommended practices to prevent or mitigate this issue when updating apps via DMG?
We would appreciate any guidance or clarification you can provide.
Best regards,
Ivan Poluianov
Seems like converting groups into folders looks like a great way to clear up the project file and reduce merge conflicts for large teams, started trying it today and it even lead us to find some untracked/unused files in the project. This structure also seems to be the default now after Xcode 16. The question is, are there any downsides to converting groups to folders, the one ones that come to mind is losing Xcode virtual file ordering, which is no biggie. If you have an "enterprise level app" would love to hear your experience if your team decided to convert to a folder structure.
Seems like converting groups into folders looks like a great way to clear up the project file and reduce merge conflicts for large teams, started trying it today and it even lead us to find some untracked/unused files in the project. This structure also seems to be the default now after Xcode 16. The question is, are there any downsides to converting groups to folders, the one ones that come to mind is losing Xcode virtual file ordering, which is no biggie. If your have an "enterprise level app" would love to hear your experience if your team decided to convert to a folder structure.
what is that makes the TLS be the TLS/SErver ?
Topic:
Community
SubTopic:
Swift Student Challenge
Tags:
App Tracking Transparency
MetricKit
Files and Storage
IOBluetooth
Hello Apple Developer Community,
I'm encountering a persistent issue while attempting to create a new partition on my Mac, and I'm hoping to get some assistance or insights from anyone who might have faced a similar problem.
Issue Description:
I'm trying to partition my internal drive. I initially used Disk Utility.app for this purpose. The partitioning process starts, but consistently freezes when it reaches approximately 10-20% completion. I've left it running overnight (for over 9 hours), but there was no progress, and the application remained unresponsive at that percentage.
After several attempts with Disk Utility, I decided to try using the diskutil commands in Terminal to see if that would yield a different result. I used commands such as diskutil apfs resizeContainer and diskutil partitionDisk. Unfortunately, these commands also result in the same behavior: the process starts, reports progress up to about 10-20%, and then completely freezes without any further output or completion, requiring me to force-quit Terminal.
Mac Model: Apple M4 Pro
MacOS Version: Sequoia 15.6
We have a seemingly randomly (and rarely) reproducible bug when a Microsoft Word (or Excel, Powerpoint...) temporary file with the ~$ prefix is not removed when the document is closed and causes a remotely deleted folder to be recreated via our file provider extension. We have received multiple issues from our users for some time now, and we could not reproduce it so far, but finally got a repro but could not identify the cause.
We could reproduce it with the following steps, however not always, and only on one computer:
We have the following file: FileProviderRoot/TEST/INSIDE/somefile.docx
Open this file, edit with MS Word. A ~$mefile.docx hidden, temporary file is created next to the original file, while it is open in Word. This temp file is ignored by our file provider implementation by returning an .excludeFromSync error code.
Save the file, modifications are synced. (don't know if this step is needed)
We delete the container folder (FileProviderRoot/TEST/INSIDE) from within our app, the deletion change is propagated to the file provider, which in turn receives a call to createItem(basedOn:fields:contents:options:request:completionHandler:) that recreates the INSIDE folder, as - for some reason - the temp file cannot be deleted. Now we are stuck in this loop of delete/recreate until we go into the file provider folder and manually remove the stuck temp file.
We would expect that the folder is not recreated but also removed from the file provider and disk along with the temp file.
On the device that this issue was reproduced, it also seems to work correctly most of the time, but needs manual fixing when this issue occurs.
We have a related bugreport: FB17928069
Hi All, I searched for this feedback but didn't see it, so apologies if this has been covered by another thread. Exploring the new camera app, It doesn't seem to recognize that external storage has been connected, so the additional features that allow ProRes high frame rates will throw an error dialog stating that "to use this you need external storage" even when external storage is connected. Using the Files app, the phone recognizes the storage, and this is something I can do with this external storage device on the previous version of IOS.
It is clear that this release of the camera has been rewritten significantly since the last version. Is it possible that this is an oversight, a bug, or just functionality that has not been completed? Interested if anybody else is seeing this, or if it is just my setup.
I'm trying to make an FSKit module for NTFS read-write filesystem and at the stage where everything is more or less working fine as long as I mount the volume via mount -F and that volume is a RAM disk. However, since the default NTFS read-only driver is already present in macOS, this introduces an additional challenge.
Judging by the DiskArbitration sources, it looks like all FSKit modules are allowed to probe anything only after all kext modules. So, in this situation, any third-party NTFS FSKit module is effectively blocked from using DiskArbitration mechanisms at all because it's always masked during the probing by the system's read-only kext.
This leaves mount -F as the only means to mount the NTFS volume via FSKit. However, even that doesn't work for volumes on real (non-RAM) disks due to permission issues. The logs in Console.app hint that the FSKit extension is running; however, it looks like the fskitd itself doesn't have permissions to access real disks if it's initiated from the mount utility?
default 16:42:41.939498+0200 fskitd New module list <private>
default 16:42:41.939531+0200 fskitd Old modules (null)
default 16:42:41.939578+0200 fskitd Added 2 identifiers: <private>
default 16:42:41.939651+0200 fskitd [0x7fc58020bf00] activating connection: mach=true listener=true peer=false name=com.apple.filesystems.fskitd
debug 16:42:41.939768+0200 fskitd main:RunLoopRun
debug 16:42:41.939811+0200 fskitd -[liveFilesMountServiceDelegate listener:shouldAcceptNewConnection:]: start
default 16:42:41.939870+0200 fskitd Incomming connection, entitled 0
debug 16:42:41.940021+0200 fskitd -[liveFilesMountServiceDelegate listener:shouldAcceptNewConnection:]: accepting connection
default 16:42:41.940048+0200 fskitd [0x7fc580006120] activating connection: mach=false listener=false peer=true name=com.apple.filesystems.fskitd.peer[1816].0x7fc580006120
default 16:42:41.940325+0200 fskitd Hello FSClient! entitlement no
default 16:42:41.940977+0200 fskitd About to get current agent for 503
default 16:42:41.941104+0200 fskitd [0x7fc580015480] activating connection: mach=true listener=false peer=false name=com.apple.fskit.fskit_agent
info 16:42:41.941227+0200 fskitd About to call to fskit_agent
debug 16:42:42.004630+0200 fskitd -[fskitdAgentManager currentExtensionForShortName:auditToken:replyHandler:]_block_invoke: Found extension for fsShortName (<private>)
info 16:42:42.005409+0200 fskitd Probe starting on <private>
debug 16:42:42.005480+0200 fskitd -[FSResourceManager getResourceState:]:not_found:<private>
debug 16:42:42.005528+0200 fskitd -[FSResourceManager addTaskUUID:resource:]:<private>: Adding task (<private>)
debug 16:42:42.005583+0200 fskitd applyResource starting with resource <private> kind 1
default 16:42:42.005609+0200 fskitd About to get current agent for 503
info 16:42:42.005629+0200 fskitd About to call to fskit_agent
debug 16:42:42.006700+0200 fskitd -[fskitdXPCServer getExtensionModuleFromID:forToken:]_block_invoke: Found extension <private>, attrs <private>
default 16:42:42.006829+0200 fskitd About to get current agent for 503
info 16:42:42.006858+0200 fskitd About to call to fskit_agent, bundle ID <private>, instanceUUID <private>
default 16:42:42.070923+0200 fskitd About to grab assertion on pid 1820
default 16:42:42.071058+0200 fskitd Initializing connection
default 16:42:42.071141+0200 fskitd Removing all cached process handles
default 16:42:42.071185+0200 fskitd Sending handshake request attempt #1 to server
default 16:42:42.071223+0200 fskitd Creating connection to com.apple.runningboard
info 16:42:42.071224+0200 fskitd Acquiring assertion: <RBSAssertionDescriptor| "com.apple.extension.session" ID:(null) target:1820>
default 16:42:42.071258+0200 fskitd [0x7fc58001cdc0] activating connection: mach=true listener=false peer=false name=com.apple.runningboard
default 16:42:42.075617+0200 fskitd Handshake succeeded
default 16:42:42.075660+0200 fskitd Identity resolved as osservice<com.apple.filesystems.fskitd>
debug 16:42:42.076337+0200 fskitd Adding assertion 183-1817-1669 to dictionary
debug 16:42:42.076385+0200 fskitd +[FSBlockDeviceResource(Project) openWithBSDName:writable:auditToken:replyHandler:]:bsdName:<private>
default 16:42:42.076457+0200 fskitd [0x7fc5801092e0] activating connection: mach=true listener=false peer=false name=com.apple.fskit.fskit_helper
default 16:42:42.077706+0200 fskitd +[FSBlockDeviceResource(Project) openWithBSDName:writable:auditToken:replyHandler:]_block_invoke: Open device returned error Error Domain=NSPOSIXErrorDomain Code=13
info 16:42:42.077760+0200 fskitd +[FSBlockDeviceResource(Project) openWithBSDName:writable:auditToken:replyHandler:]: failed to open device <private>, Error Domain=NSPOSIXErrorDomain Code=13
default 16:42:42.077805+0200 fskitd [0x7fc5801092e0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
debug 16:42:42.077830+0200 fskitd +[FSBlockDeviceResource(Project) openWithBSDName:writable:auditToken:replyHandler:]:end
info 16:42:42.078459+0200 fskitd openWith returned err Error Domain=NSPOSIXErrorDomain Code=13 dev (null)
error 16:42:42.078501+0200 fskitd -[fskitdXPCServer getRealResource:auditToken:reply:]: Unable to convert proxy FSBlockDeviceResource into open resource
error 16:42:42.078538+0200 fskitd -[fskitdXPCServer applyResource:targetBundle:instanceID:initiatorAuditToken:authorizingAuditToken:isProbe:usingBlock:]: Can't get the real resource of <private>
default 16:42:42.105443+0200 fskitd [0x7fc580006120] invalidated because the client process (pid 1816) either cancelled the connection or exited
The mount utility call I use is the same for RAM and real disks with the only difference being the device argument and this permission error is only relevant for real disks case.
So, the proper solution (using DiskArbitration) seems to be blocked architecturally in this use case due to FSKit modules being relegated to the fallback role. Is this subject to change in the future?
The remaining workaround with using the mount directly doesn't work for unclear reasons. Is that permission error a bug? Or am I missing something?
I see this in Tahoe Beta release notes
macOS now supports the Apple Sparse Image Format (ASIF). These space-efficient images can be created with the diskutil image command-line tool or the Disk Utility application and are suitable for various uses, including as a backing store for virtual machines storage via the Virtualization framework. See VZDiskImageStorageDeviceAttachment. (152040832)
I'm developing a macOS app using the Virtualization framework and need to create disk images in the ASIF (Apple Sparse Image Format) to make use of the new feature in Tahoe
Is there an official way to create/resize ASIF images programmatically using Swift? I couldn’t find any public API that supports this directly.
Any guidance or recommendations would be appreciated.
Thanks!
Hello everyone,
I'm developing a macOS application that programmatically sets custom icons for folders, and I've hit a wall trying to get Finder to display the icon changes consistently.
The Goal:
To change a folder's icon using NSWorkspace.shared.setIcon and have Finder immediately show the new icon.
What I've Tried (The Refresh Mechanism):
After setting the icon, I attempt to force a Finder refresh using several sandbox-friendly techniques:
Updating the Modification Date (the "touch" method):
try FileManager.default.setAttributes([.modificationDate: Date()], ofItemAtPath: pathToUse)
Notifying NSWorkspace:
NSWorkspace.shared.noteFileSystemChanged(pathToUse)
Posting Distributed Notifications:
DistributedNotificationCenter.default().post(name: Notification.Name("com.apple.Finder.FolderChanged"), object: pathToUse)
The Problem:
This combination of methods works perfectly, but only under specific conditions:
When setting a custom icon on a folder for the first time.
When changing the icon of an alias.
For any subsequent icon change on a regular folder, Finder stubbornly displays the old, cached icon. I've confirmed that the user can see the new icon by manually closing and reopening the folder window, but this is obviously not a user-friendly solution.
Investigating a Reset with AppleScript:
I've noticed that the AppleScript update command seems to force the kind of complete refresh I need:
tell application "Finder"
update POSIX file "/path/to/your/folder"
end tell
Running this seems to reset the folder's state in Finder, effectively recreating the "first-time set" scenario where my other methods work.
However, the major roadblock is that I can't figure out how to reliably execute this from a sandboxed environment. I understand it likely requires specific scripting entitlements, but it's unclear which ones would be needed for this update command on a user-chosen folder, or if it's even permissible for the App Store.
My Questions:
Is there a reliable, sandbox-safe way to make the standard Cocoa methods (noteFileSystemChanged, updating the modification date, etc.) work for subsequent icon updates on regular folders? Am I missing a step?
If not, what is the correct way to configure a sandboxed app's entitlements to safely run the tell application "Finder" to update command for a folder the user has granted access to?
Any insight or alternative approaches would be greatly appreciated. Thank you
I am developing an Apple app that has to download 1000s of MP4 files between 5 and 150MB each at one time (can take an hour or more - is OK). I use Apple's file picker to select the files, and then it freezes and I cannot download anything. I had this working a few months ago but now I cannot get it to work. Can someone give me some advice please?
We are seeing a kernel panic in nfsd when using vagrant synced folders. The issue started with macOS 15.4 and still occurs with macOS 15.5. It’s 100% reproducible when bringing up a new vagrant environment. The kernel panic does not occur when using smb instead of nfs.
https://developer.hashicorp.com/vagrant/docs/synced-folders/nfs
Other people have reported a similar issue when using nfs with Docker.
https://github.com/docker/for-mac/issues/7664
I filed this under FB17853906.
I spoke with an engineer at the Apps & Services WWDC lab and they recommended I post here to make sure the bug gets looked at and routed to the correct team.
I've gotten to the point where I can use the mount(8) command line tool and the -t option to mount a file system using my FSKit file system extension, in which case I can see a process for my extension launch, probe, and perform the other necessary actions.
However, when plugging in my USB flash drive or trying to mount with diskutil mount, the file system does not mount:
$ diskutil mount disk20s3
Volume on disk20s3 failed to mount
If you think the volume is supported but damaged, try the "readOnly" option
$ diskutil mount readOnly disk20s3
Volume on disk20s3 failed to mount
If you think the volume is supported but damaged, try the "readOnly" option
Initially I thought it would be enough to just implement probeExtension(resource:replyHandler:) and the system would handle the rest, but this doesn't seem to be the case. Even a trivial implementation that always returns .usable doesn't cause the system to use my FSModule, even though I've enabled my extension in System Settings > General > Login Items & Extensions > File System Extensions.
From looking at some of the open source msdos and Disk Arb code, it seems like my app extension needs to list FSMediaTypes to probe. I eventually tried putting this in my Info.plist of the app extension:
<key>FSMediaTypes</key>
<dict>
<key>EBD0A0A2-B9E5-4433-87C0-68B6B72699C7</key>
<dict>
<key>FSMediaProperties</key>
<dict>
<key>Content Hint</key>
<string>EBD0A0A2-B9E5-4433-87C0-68B6B72699C7</string>
<key>Leaf</key>
<true/>
</dict>
</dict>
<key>0FC63DAF-8483-4772-8E79-3D69D8477DE4</key>
<dict>
<key>FSMediaProperties</key>
<dict>
<key>Content Hint</key>
<string>0FC63DAF-8483-4772-8E79-3D69D8477DE4</string>
<key>Leaf</key>
<true/>
</dict>
</dict>
<key>Whole</key>
<dict>
<key>FSMediaProperties</key>
<dict>
<key>Leaf</key>
<true/>
<key>Whole</key>
<true/>
</dict>
</dict>
<key>ext4</key>
<dict>
<key>FSMediaProperties</key>
<dict>
<key>Content Hint</key>
<string>ext4</string>
<key>Leaf</key>
<true/>
</dict>
</dict>
</dict>
</plist>
(For reference, the partition represented by disk20s3 has a Content Hint of 0FC63DAF-8483-4772-8E79-3D69D8477DE4 and Leaf is True which I verified using IORegistryExplorer.app from the Xcode additional tools.)
Looking in Console it does appear now that the system is trying to use my module (ExtendFS_fskit) to probe when I plug in my USB drive, but I never see a process for my extension actually launch when trying to attach to it from Xcode by name (unlike when I use mount(8), where I can do this). However I do see a Can't find the extension for <private> error which I'm not sure is related but does sound like the system can't find the extension for some reason.
The below messages are when filtering for "FSKit":
default 19:14:53.455826-0400 diskarbitrationd probed disk, id = /dev/disk20s3, with ExtendFS_fskit, ongoing.
default 19:14:53.456038-0400 fskitd Incomming connection, entitled 1
default 19:14:53.456064-0400 fskitd [0x7d4172e40] activating connection: mach=false listener=false peer=true name=com.apple.filesystems.fskitd.peer[350].0x7d4172e40
default 19:14:53.456123-0400 fskitd Hello FSClient! entitlement yes
default 19:14:53.455902-0400 diskarbitrationd [0x7461d8dc0] activating connection: mach=true listener=false peer=false name=com.apple.filesystems.fskitd
default 19:14:53.456151-0400 diskarbitrationd Setting remote protocol to all XPC
default 19:14:53.456398-0400 fskitd About to get current agent for 501
default 19:14:53.457185-0400 diskarbitrationd probed disk, id = /dev/disk20s3, with ExtendFS_fskit, failure.
error 19:14:53.456963-0400 fskitd -[fskitdXPCServer applyResource:targetBundle:instanceID:initiatorAuditToken:authorizingAuditToken:isProbe:usingBlock:]: Can't find the extension for <private>
(I only see these messages after plugging my USB drive in. When running diskutil mount, I see no messages in the console when filtering by FSKit, diskarbitrationd, or ExtendFS afterward. It just fails.)
Is there a step I'm missing to get this to work, or would this be an FSKit bug/current limitation?
In my app the user can select a source folder to be synced with a destination folder. The sync can also happen in response to a change in the source folder detected with FSEventStreamCreate.
If the user unzips an archive in the source folder and the sync process begins before the unzip operation has completed, the sync can fail because of a "Permission denied" error. I assume this is related to the posix permissions of the extracted folder being 420 during the unzip operation and (in my case) 511 afterwards.
Is there a way to detect than an unzip operation is in progress and wait until it has completed? I thought that using NSFileCoordinator would solve this issue, but unfortunately it's not the case. Since an unzip operation can last any amount of time, it's not ideal to just delay a sync by a fixed number of seconds and let the user deal with any error if the unzip operation takes longer.
let openPanel = NSOpenPanel()
openPanel.canChooseDirectories = true
if openPanel.runModal() == .cancel {
return
}
let url = openPanel.urls[0].appendingPathComponent("extracted", isDirectory: false)
var error: NSError?
NSFileCoordinator(filePresenter: nil).coordinate(readingItemAt: url, error: &error) { url in
do {
print(try FileManager.default.attributesOfItem(atPath: url.path).sorted(by: { $0.key.rawValue < $1.key.rawValue }).map({ ($0.key.rawValue, $0.value) }))
try FileManager.default.contentsOfDirectory(at: url, includingPropertiesForKeys: nil)
} catch {
print(error)
}
}
if let error = error {
print("file coordinator error:", error)
}