How to create a custom readable symlink out of a sandboxed container?

macos symlink permission library

Solution 1:

Unlikely to be Possible

I suspect that if this were possible with a symlink, Apple would consider it a serious security flaw.

That said, see Why is the symlink I created inside an application container to allow for external storage not working? for possible solutions.

Sandboxed applications can only read the contents their containers, some global locations, and the locations explicitly granted to them by the user – via the Powerbox mechanism.

See Powerbox and File System Access Outside of Your Container:

Your sandboxed app can access file system locations outside of its container in the following three ways:

  • At the specific direction of the user
  • By using entitlements for specific file-system locations (described in > - Entitlements and System Resource Access)
  • When the file system location is in certain directories that are world readable

Given the list above, you may be able to extend the entitlements for the application to include your specific location and then resign the application.

Bypass the Problem

Alternatively, consider stripping the application of its sandboxing entitlement. You could try ad-hoc resigning the application and omit the entitlements entirely.

Related

Automator/AppleScript: move folders to a location based on their name
How could I delete DCIM sub folders in iphone
Ember transition & rendering complete event
redirect all .html extensions to .php
Dictionary.ContainsKey return False, but a want True
Eclipse Java; export jar, include referenced libraries, without fatjar
Using "if let..." with many expressions
Convert date from milliseconds to ISODate object
Why and how does C# allow accessing private variables outside the class itself when it's within the same containing class?
Get member to which attribute was applied from inside attribute constructor?
Milliseconds in POSIXct Class
using LINQ to find the cumulative sum of an array of numbers in C#