Specify multiple paths in Entitlement Security temporary-exception?

Discussion in 'Mac Programming' started by ArtOfWarfare, Dec 7, 2013.

  1. ArtOfWarfare macrumors G3


    Nov 26, 2007
    Does anyone know the proper way of specifying multiple paths in an Entitlement file for a single key? I need to have read-write access to the file /var/run/usbmuxd and read-write access to the directory /var/db/lockdown/

    I got the key com.apple.security.temporary-exception.files.absolute-path.read-write from this section of Apple's page on Entitlements: https://developer.apple.com/library...s.html#//apple_ref/doc/uid/TP40011195-CH5-SW7

    For a value, I put down
    With a semicolon separating the different paths, but I wasn't sure if that was correct or not.

    I also tried using an array, instead.

    The framework I'm using (https://github.com/samdmarshall/SDMMobileDevice) said I needed read-write access to those paths, but the errors it's throwing at me aren't particularly clear on whether it's properly getting access to the paths it needs or not.

    Here's the error message:
    lockssl_handshake: SSL handshake fatal lower level error 1: (null).
  2. chown33 macrumors 604

    Aug 9, 2009
    Sailing beyond the sunset
    From the cited Apple link (bold added):
    For each path that you want to enable access to, specify the path as a string value for the appropriate entitlement key’s value array. Each string must start with a slash (/) character—whether it represents an absolute path or a path relative to the user’s home directory. If a path you provide specifies a directory rather a file, you must end the path with a slash character.
    From this, I would conclude:
    1. The value of the key is an array.
    2. Every item in the array is a string.
    3. Every string starts with /.
    4. Directory paths must also end with /.

    Also, on my machine, I see /var/run/usbmuxd is actually a Unix-domain socket. This may or may not have some relevance.

    I suggest making a test-case. It should contain an entitlement for two directories. The purpose of this test-case is:
    1. To test the above four points about the form of the key's value-data.
    2. To exclude Unix-domain sockets.

    If the two-directory test-case works, then it confirms the correct form of the data. At that point, create another test-case, this time with two entries that are sockets.

    I would create these test-cases as completely separate apps, with their own new and unique ID's. This is to preclude issues that might arise if LaunchServices or the App Sandbox is caching values it had previously read from your earlier app that had a semicolon-delimited path.
  3. ArtOfWarfare thread starter macrumors G3


    Nov 26, 2007
    Thanks Chown, I must have read over that paragraph 5 times last night and I never noticed the word array until you pointed it out (I added additional emphasis beyond your bold emphasis.)

    But I realized that my entitlements file wasn't actually related to the issue because my app isn't being properly code signed / sandboxed right now. I contacted the main developer of the project and he says he's received multiple reports of the bug but hasn't had a chance to resolve it. Fortunately, it's open source so I'm digging through it now... I suspect there's an OpenSSL function that's returning an error that's being ignored, which is causing subsequent OpenSSL functions to throw exceptions.

Share This Page