Is it possible to have access to write to the /Library/ ? Full Disk Access

Bear in mind I am new to MacOS development, I'm still learning the basics.

I read a ton of "Full Disk Access" threads and still haven't been able to figure it out.

Anyway, I'm making an app that does some modifications to audio plugins, on Mac they're stored in /Library/Audio/Plug-Ins/. I know this is not allowed by guidelines and wouldn't be accepted by the Appstore but I dont care about that.

Even after I grant my debug build “Full Disk Access” manually by dragging it to the MacOS security preferences my app still reports "Permission denied" errors on the console but the app works fine to modify things in the /Applications/ folder for example.

I’ve tried setting the entitlements of App Sandbox to both On and Off, and also tried the NSOpenPanel approach of having to manually browse to the /Library/Audio/Plug-Ins/ location but so far nothing worked.

Any tips on how to really grant an app full disk access or for the /Library/ it’s just not possible?

Accepted Reply

macOS has multiple different file system permission models and you are mixing up which one is blocking this request (it’s not MAC or App Sandbox, it’s BSD permissions). Check out On File System Permissions and then write back if you have follow-up questions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies

macOS has multiple different file system permission models and you are mixing up which one is blocking this request (it’s not MAC or App Sandbox, it’s BSD permissions). Check out On File System Permissions and then write back if you have follow-up questions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for taking the time to reply. My errors are tied to Foundations FileManager so I guess it's EACCES.

As I understood the only way to have access to writing the /Library/Audio/Plug-Ins/ is to either:

  1. Use NSPanel to prompt the user for the folder + NSURL class to create a bookmark + NSFileManager to resolve the bookmark and reload it when the app launches.
  2. Or implement "helper tool" / "privileged helper daemon"

Method 1 will require the user to either be prompted for folders or has to drag-and-drop it to the application. Method 2 is way too complicated for me at this point.

If anyone knows of other methods I would love to hear about them. Thanks

Your first option won’t work. The technique you’ve described helps with App Sandbox and MAC permissions, but won’t help with BSD permissino.

Your second option will work but, as you outlined, it’s a bunch of code. If you want to explore this further, see BSD Privilege Escalation on macOS.

Earlier you wrote:

I'm making an app that does some modifications to audio plugins

What does “some modifications” mean here? Because the most common scenario is installing an audio plug-in, and for that your best option is to create an installer package.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"