I'm building ExtensionKit support into my application, which is currently not sandboxed. The extensions must be sandboxed. For my use case, I need them to be able to launch executables the user has installed, with homebrew for example.
My problem is some paths appear to disallow execution. As an example, an extension may want to run "/opt/homebrew/bin/go". This is actually just a symlink that ultimately resolves to another path under "/opt/homebrew".
If I pass along a non-security-scoped bookmark to the extension process, it is able to read the files under "/opt/homebrew". But, it cannot execute anything. The only way I have found to enable execution is by setting "com.apple.security.temporary-exception.files.absolute-path.read-only" to ["/opt/homebrew/"].
Yet, I feel like there must be a way to do this. BBEdit has a feature that allows the user to type an executable path in its settings. It will then be able to launch the targeted process, despite being a sandboxed app.
Am I seeing an ExtensionKit-specific limitation? Or perhaps my extension needs additional entitlements?
