Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable sandboxing #1692

Closed
wants to merge 3 commits into from
Closed

Enable sandboxing #1692

wants to merge 3 commits into from

Conversation

Eitot
Copy link
Contributor

@Eitot Eitot commented May 29, 2023

Important

The system automatically migrates Vienna's library files to a sandbox container on launching Vienna with sandboxing enabled. This can be reversed by using the provided shell script (Vienna.app/Contents/SharedSupport/undo-container-migration.sh), e.g. for development purposes or for downgrading to an earlier version of Vienna.

The container-migration.plist file specifies the old and new locations for the migration. It should cover all of Vienna's directories and files, so that the user ideally ends up with a complete sandbox container.

Some system-defined locations have to be changed to avoid duplication. For example, Apple moved the cookies storage from ~/Library/Cookies to ~/Library/HTTPStorages starting with macOS 11/Safari 14. Within sandbox containers however, ~/Library/Cookies is used. The automatic migration does not overwrite files. Therefore, a migration of ~/Library/HTTPStorages is attempted first. If that attempt is successful then the migration of ~/Library/Cookies should (silently) fail; otherwise ~/Library/Cookies is migrated instead.

User preferences in ~/Library/Preferences are migrated automatically. User scripts are migrated from ~/Library/Scripts/Applications/Vienna to ~/Library/Application Scripts/<bundle ID> and a symlink is left at the former location; this also happens automatically.

The shell script uses ditto to copy the directories. Ditto will merge directories rather than overwrite them, if the destination directory exists. It will, however, overwrite individual files.

@Eitot Eitot linked an issue May 29, 2023 that may be closed by this pull request
2 tasks
@Eitot Eitot force-pushed the feature/sandbox branch from 30ffdeb to a6bf959 Compare May 29, 2023 08:02
@Eitot Eitot force-pushed the feature/sandbox branch 3 times, most recently from 61806e8 to 49cb216 Compare July 2, 2023 18:55
@Eitot Eitot force-pushed the feature/sandbox branch from 49cb216 to 9b18b87 Compare July 16, 2023 11:13
@Eitot Eitot force-pushed the feature/sandbox branch from 1c164f6 to 4b76dba Compare July 7, 2024 08:05
@Eitot Eitot force-pushed the feature/sandbox branch from 4b76dba to ce9aec3 Compare July 21, 2024 21:49
Eitot added 3 commits July 25, 2024 20:39
Note: The system automatically migrates Vienna's library files to a sandbox container on launching Vienna with sandboxing enabled. This can be reversed by using the provided shell script, e.g. for development purposes or for downgrading to an earlier version of Vienna.

The container-migration.plist file specifies the old and new locations for the migration. It should cover all of Vienna's directories and files, so that the user ideally ends up with a complete sandbox container.

Some system-defined locations have to be changed to avoid duplication. For example, Apple moved the cookies storage from ~/Library/Cookies to ~/Library/HTTPStorages starting with macOS 11/Safari 14. Within sandbox containers however, ~/Library/Cookies is used. The automatic migration does not overwrite files. Therefore, a migration of ~/Library/HTTPStorages is attempted first. If that attempt is successful then the migration of ~/Library/Cookies should (silently) fail; otherwise ~/Library/Cookies is migrated instead.

User preferences in ~/Library/Preferences are migrated automatically. User scripts are migrated from ~/Library/Scripts/Applications/Vienna to ~/Library/Application Scripts/<bundle ID> and a symlink is left at the former location; this also happens automatically.

The shell script uses ditto to copy the directories. Ditto will merge directories rather than overwrite them, if the destination directory exists. It will, however, overwrite individual files.
NSOpenSavePanelDelegate methods do not work with sandboxing. The URLs returned by the delegate callbacks are inaccessible until NSOpenPanel calls the completion handler. A workaround is to validate the URL after it was selected. When the URL is inaccessible (i.e. not writable) then an error is shown and the open panel reopens, giving the user the opportunity to choose a different directory or cancel.
@Eitot Eitot added the changes localisations 💬 This pull request adds, changes or removes localisation keys. label Jul 26, 2024
@Eitot Eitot force-pushed the feature/sandbox branch from ce9aec3 to 0beb28f Compare July 26, 2024 06:47
@Eitot Eitot removed the changes localisations 💬 This pull request adds, changes or removes localisation keys. label Jul 26, 2024
@Eitot Eitot closed this Oct 29, 2024
@barijaona
Copy link
Member

@Eitot: can you indicate a specific reason which led you to close this work in progress ?

@Eitot
Copy link
Contributor Author

Eitot commented Nov 4, 2024

I didn't feel confident enough to submit this. Enabling sandboxing will make it cumbersome to downgrade to previous versions. There have been some significant issues in the releases lately that have given me pause. I intend to keep the branch up to date though and revisit this in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Mac App Store distribution question
2 participants