NSSavePanel and the Sandbox

8
votes

I have some problems understanding the new Lion's Sandbox.

I know that Lion includes a trusted daemon process called Powerbox whose job is to present and control open/save dialog boxes on behalf of sandboxed applications.

Like the Code Signing And Application Sandboxing Guide says:

Any time an application running inside a sandbox invokes an NSOpenPanel or NSSavePanel dialog, rather than showing the panels directly, AppKit automatically asks the Powerbox to present the dialog. From a developer perspective, there are no code changes required in terms of how these panels are used; this process is fully transparent.

After the user selects a set of files or directories, the Powerbox uses new functionality in the sandbox kernel module to expand the invoking application's sandbox to allow access to the selected files. By the time the application code queries the panel for the returned URLs or filenames, it already has permission to access those files, and can continue to use the files through almost any API it already uses.

Ok. I did some practical tests using this code:

NSSavePanel *savePanel = [NSSavePanel savePanel];
savePanel.delegate = self;

savePanel.directoryURL = ...;
savePanel.nameFieldStringValue = ...;

[savePanel beginSheetModalForWindow:self.window
                  completionHandler:^(NSInteger returnCode) {
/* the completion handler */
}];

The strange thing is that the NSOpenSavePanelDelegate method's, that are called BEFORE the completion handler, do not have access to files on the filesystem.

Is this correct?

But if so, the delegate's methods like panel:validateURL:error: becomes useless!

Can you help me explaining in more detail the connections between the app and Powerbox?

1
cocoasandboxosx-lionnssavepanel
Why does your validateURL: method need access to the file system? The URL of the file in question is passed to the delegate method, what else do you need?Rob Keniger
I would like to analyze, for example, if the specified URL is writable, and, if not, return NO.Dev
Anyway, you can confirm to me that the NSOpenSavePanelDelegate's methods do not have the access to the filesystem? Only the completion handler can access to the selected file? (The official documentation is lacking, in my opinion.)Dev
I can confirm that you don't have access to the file system in the panel:validateURL:error: delegate method. You should log a bug with Apple if you want this changed.Rob Keniger

1 Answers

9
votes

After contacting Apple, I can confirm what Rob Keniger wrote: NSOpenSavePanelDelegate method's don't have access to the filesystem in sandboxed applications.