沙盒-不允许进行killall操作 [英] Sandbox - killall Operation not permitted
问题描述
我正在编写一个运行以下命令的小型Mac应用程序(在Obj-C中):
I'm writing a small Mac application (in Obj-C) which runs the following command:
system("killall Finder");
我想看看如果我对应用程序进行沙箱处理(因为6月1日将需要进行沙箱处理),该应用程序将无法使用.我得到以下回应:
I wanted to see what would happen if I sandbox the app (as sandboxing will be required on June 01), and the app wouldn't work. I got the following response:
killall: warning: kill -TERM 6524: Operation not permitted
有什么办法可以解决这个问题?像是要添加的特定权利还是另一种运行命令的方式?
Is there any way to get around that? As in a specific entitlement to add or another way to run the command?
谢谢.
推荐答案
您的应用完全违背了沙盒的精神,因此MAS审稿人几乎没有机会接受它.另外,您可能会对沙盒内部的默认写入com.apple.finder"的操作感到惊讶-基本上,没有任何用处.您必须使用相对于home的/Library/Preferences/com.apple.finder.plist的临时例外权利,使用不受沙盒影响的API来获得home的路径(例如,getpwent()-> pw_dir) ),然后直接加载并保存plist.然后您会发现,无法从沙盒应用程序,句点,无处调用非子进程,而且也无法解决这个问题.如果您尝试将killall系统化,它最终会在与您相同的沙盒中运行,因此具有相同的局限性.
Your app completely goes against the spirit of the sandbox, so there's almost no chance that the MAS reviewers will accept it. Also, you may be surprised at what "defaults write com.apple.finder" does from inside your sandbox—basically, nothing useful. You'll have to use a temporary exception entitlement to home-relative /Library/Preferences/com.apple.finder.plist, use some non-sandbox-affected API to get the path to home (e.g., getpwent()->pw_dir), and load and save the plist directly. And then you'll discover that there is no way to call on a non-child process from a sandboxed app, period, no way around it—and if you try to system killall, it ends up running inside the same sandbox as you, and therefore has the same limitations.
但是,您问一个特定的问题,关于该系统是否有办法解决killall故障,并且至少有三个(不包括沙盒中的已被10.7.4堵塞或必将很快堵塞的孔) ):
However, you asked a specific question as to whether there's a way around that system killall failing, and there are at least three (not counting holes in the sandbox which have either been plugged by 10.7.4 or will surely be plugged soon):
-
您可以创建一个没有沙盒化的助手应用程序,它可以为您解决所有问题.经App Store批准的唯一两种方法是XPC和SMLoginItemSetEnabled.而且,除非用户明确告知您启用助手,否则您将无法启用它.
You can create a helper app that isn't sandboxed, that does the killall for you. The only two App Store-approved ways to do this are XPC and SMLoginItemSetEnabled. And you're not allowed to enable the helper without the user explicitly telling you to do so.
您可以向Finder发送一个Apple Event要求其退出,而不用发信号通知它.最简单的方法是执行Applescript告诉应用程序"Finder"以退出".至少对于10.7.3和更早版本,您需要临时的例外权利才能将Apple Events发送到com.apple.finder. (将来的操作系统版本可能有不同的机制,但是没有人可以在NDA论坛之外讨论它们.)
You can send Finder an Apple Event asking it to quit, instead of signaling it. The easiest way to do this is to execute the Applescript 'tell app "Finder" to quit'. At least for 10.7.3 and earlier, you'll need a temporary exception entitlement to send Apple Events to com.apple.finder. (There may be different mechanisms for future OS versions, but nobody can discuss them outside the NDA forums.)
您可以将Apple Event发送给其他事件(例如系统事件),以代表您杀死Finder.
You can send an Apple Event to some other process—like System Events—to kill Finder on your behalf.
以此类推.
这篇关于沙盒-不允许进行killall操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
