FSKit Sandbox restrictions and automatic tests

Question

Created 5d

Replies 2

Boosts 0

Participants 2

Hi,

I am currently in the process of writing a fskit extension. My goal is it to implement something similar like unionfs/mergerfs with fskit. For this to work my extension requires access to a set of user provided file paths. I use FSGenericURLResource with query parameters for this. But the sandbox restrictions make this impossible. This is why I tried to implement a privileged helper, but this makes it even more complicated and slower. Is there a way to disable the sandbox restrictions for the extension? I don't plan any app store publishing which makes this even more frustrating. When I remove the sandbox entitlement, I can't load the plugin with pluginkit -a anymore. Or is there any other recommend way, except a privileged helper?

Another question I have on my mind: How to write proper tests for an fskit extension? You can load the extension via pluginkit -a and also remove it, but you can't enable it in the system panel. I have no idea how to build automatic tests with this restriction.

Lovely greetings, Nils

Boost

Answer 1

kthchew OP

4d

I think FSKit modules have to be sandboxed, but since you're not planning to be on the App Store and thus don't need to care about App Review, have you looked at the temporary exception entitlements (https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AppSandboxTemporaryExceptionEntitlements.html)? You might find the file access ones useful.

0

Answer 2

kthchew OP

2d

By the way, it's usually best to make a reply instead of leaving a comment. Comments are easy to miss and usually don't create notifications.

Do you know whether I can use com.apple.security.temporary-exception.files.absolute-path.read-write with /?

I think it should work, although I haven't tried it myself.

how do I log from the extension? If I use the standard logging framework, no logs arrive in the console app.

Not sure exactly which "standard logging framework" you're referring to (there's a lot of them), but I've been able to use Swift's Logger API (from os.log, I think if you're in Obj-C you'd use os_log) from my extension and it acts like logging from a regular app. If you're trying that and it's not working, then are you logging on the debug or info levels? Those don't show up in Console's streaming view by default unless you enable them in the Action menu. The more severe levels do show up by default.

0