How to create a custom readable symlink out of a sandboxed container?
Solution 1:
Unlikely to be Possible
I suspect that if this were possible with a symlink, Apple would consider it a serious security flaw.
That said, see Why is the symlink I created inside an application container to allow for external storage not working? for possible solutions.
Sandboxed applications can only read the contents their containers, some global locations, and the locations explicitly granted to them by the user – via the Powerbox mechanism.
See Powerbox and File System Access Outside of Your Container:
Your sandboxed app can access file system locations outside of its container in the following three ways:
- At the specific direction of the user
- By using entitlements for specific file-system locations (described in > - Entitlements and System Resource Access)
- When the file system location is in certain directories that are world readable
Given the list above, you may be able to extend the entitlements for the application to include your specific location and then resign the application.
Bypass the Problem
Alternatively, consider stripping the application of its sandboxing entitlement. You could try ad-hoc resigning the application and omit the entitlements entirely.