External Volume/USB access on Sandboxed app not working despite using entitlements and giving access

I get the following error in the Mac console when I monitor the app:

Sandbox: *APP NAME* (1038) deny(1) file-read-data /Volumes/Untitled/DCIM/100GOPRO

Signing the sandboxed app with the usb entitlement

FYI, the USB entitlement (com.apple.security.device.usb) controls access to USB peripherals via the USB APIs. It has no effect on the file system, which is where you’re running into problems.

Giving the app Full Disk Access and External Volume Access.

This affects the mandatory access control that we added in 10.15. This applies to sandboxed apps, but sandboxed apps get additional levels of access control and that’s what you’re running into.

I'm going to suggest you take a read of the App Sandbox Design Guide. It discusses file system access in great detail. The executive summary, however, is that sandboxed app can only access files within the app’s own container. Access to other files requires an extension to their sandbox. That extension must be granted by the user, using either the standard file panels, drag’n’drop, Apple events, or whatever.

Once the app has been granted such access, it can persist that access using a security-scope bookmark. So, for example, if you prompt the user to select the root of the volume, you will be able to access that volume now and in the future.

This checking is done by path, so if all the volumes are called Untitled, and hence get mounted at /Volumes/Untitled, you can prompt once and be done. However, if the user inserts a volume with a different name, you’ll need to prompt again.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Hi Ekismo and thank you so much for your explanation,

I was going over the documentation but I couldn't understand if I can initiate a request from the user to access a certain path.

e.g.
I would like to use NSOpenPanel to request access to /Volumes/Untitled when the user first launches the app and then bookmark the scope once he approves it.

Is that possible or does the user have to select the path on his own?

Thank you!

Also, I don't seem to find any way to use AppleKit with anything that isn't Swift/Objective C, is there no javascript support?

Is that possible or does the user have to select the path on his own?

To open the panel at a specific location set the directoryURL property before you present the panel. This works even if you don’t currently have access to that directory.

Also, I don't seem to find any way to use AppleKit with anything that
isn't Swift/Objective C, is there no javascript support?

[I presume you meant AppKit in the above.]

Apple’s SDKs support Swift and Objective-C[++]. They do not provide any JavaScript bindings. There may be third-party solutions for this but I don’t have any expertise in that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"