应用程序沙箱：如何允许XPC服务读取用户在父应用程序中打开的文件？ [英] App sandbox: how to allow XPC service to read file that user opened in parent app?

问题描述

我有一个简单的Cocoa图像预览应用程序。用户使用 NSOpenPanel 选择文件，应用程序使用Quick Look API生成预览图像。

I have a simple Cocoa image preview app. The user selects a file using an NSOpenPanel and the app generates a preview image using the Quick Look API.

I喜欢将预览生成移动到单独的XPC服务。如果没有应用程式沙箱功能，一切都正常，但是在为父应用程式和XPC服务启用应用程式沙箱功能之后， XPC服务将被拒绝对使用者所选档案的读取存取。

I'd like to move the preview generation into a separate XPC service. Without app sandboxing everything works fine, but after enabling app sandboxing for the parent app and the XPC service, the XPC service is denied read access to the user selected file.

父应用程序允许读取文件（因为它是通过NSOpenPanel选择的）。

The parent app is allowed to read the file (because it was selected through an NSOpenPanel).

如何传输文件读取权限对于用户选择的文件从父应用程序到XPC进程，以便XPC进程可以读取文件以生成预览？

How do I transfer the "file read" permissions for the user-selected file from the parent app to the XPC process so that the XPC process can read the file to generate the preview?

我的XPC服务请求文件读取通过其权限访问并且我添加以下密钥到XPC服务Info.plist，但是没有帮助：

My XPC service requests file-read access via its entitlements and I added the following key to the XPC Service Info.plist, but that did not help:

JoinExistingSession = YES

推荐答案

我不是100％在这种情况下，Apple建议将 NSFileHandle 传递给XPC进程。这样，XPC进程可以访问文件的内容，但不需要知道文件的URL。

I'm not 100% sure but I think Apple recommends passing an NSFileHandle to the XPC process in this case. That way, the XPC process can access the file's contents but does not need to know the file's URL.

编辑： Apple开发者论坛中的此线程是有用的。建议为文件的URL创建正常（非安全范围）书签。这个书签可以传递给XPC进程并由它访问。

This thread in the Apple Developer Forums is helpful. The recommendation is to create a normal (not security-scoped) bookmark for the URL of the file. This bookmark can then be passed to the XPC process and accessed by it.

这篇关于应用程序沙箱：如何允许XPC服务读取用户在父应用程序中打开的文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！