Sandbox in LIon and photoshop error

Hi All,

I have been able to sandbox my two image editing apps, one using sips and the other CS5 Photoshop. Thanks to security scoped bookmarks. I can post code if anyone needs help with that part of the sandbox routine.

All has been working well on 10.7.4 and the sips version works great on Mountain lion so far with no sandbox errors showing in the console. The Adobe Photoshop version on 10.8 is throwing an error:

adobe photoshop CS5 got an error: A privilege violation occurred.

There are no sandbox errors showing in log and the same code on 10.7.4 works perfectly. I also tried a plain applescript with the same call to photoshop and that works fine.

tell application id "com.adobe.Photoshop"

--tell application  "Adobe Photoshop CS5"  (this also throw the error)

launch

open file openPath showing dialogs never

--a lot more code..

end tell

It throws the error right after the “tell application.”

Since applescript is working I am thinking it must be sandbox related, or ASOC/ photoshop related.

Has anyone else seen this type of error?

Thanks, Rob

update:

after further investigation it is the line where the path is converted to hfs path:

 set openPath to ((filePath as text)as POSIX file) as text

open file openPath showing dialogs never

in 10.7.4 it actually does show a console error:

iAlterImage CS(587) deny file-issue-extension /:Users:astrid:Desktop:new image.jpg

In my other app it passes the posix path to sips and it all works fine so I think I am stuck at this point. It doesn’t seem to allow the hfs path to be the user-chosen path passed in to Photoshop. I’ve spent a week getting this working and fear the worst now. I submitted a tech request since there is very little online about applescript and sandbox.

I have also noticed I am getting several warnings on launch indicating the app is not allowed to read the script file (in resources)

iAlterImage CS(375) deny file-write-data /Users/astrid/Library/Developer/Xcode/DerivedData/iAlterImage_CS-bpkqosaibwgiehhcpzcqnzmppkye/Build/Products/Debug/iAlterImage CS.app/Contents/Resources/AppDelegate.scpt

These don’t seem to cause problems but it seems odd that it gets upset at the app loading its own script class. Has anyone actually sandboxed an ASOC app yet out there? And did you see any of thee issues?

Best, Rob

That looks like a POSIX path with colons in it, not an HFS path.

That looks more like a writing problem than a reading problem…

Not me. Life’s too short…

Yes, I’m ready to throw the whole thing in and go out and paint some pictures. Too limiting for me this MAS.

Cheers, Rob

Hi All.

FWIW:

Tell application id "com.adobe.Photoshop"

open file ImagePath showing dialogs never

end tell

After playing in the sandbox for way too long, and a talk with tech support, it doesn’t seem possible to sandbox an app that has another app open a file, at least with my tests with Adobe apps and TextEdit via apple events. You can gain access to files through open/save and then that file becomes part of your container. But then, another app won’t have permission to open it.

I thought that by setting an entitlement for the app, it would be allowed access but apparently not, at least not in OS 10.8.

These containers kind of remind me of gated communities. give me some fresh air.

Cheers, Rob

No, and I have 2 apps in the apps store. I got them done before sandbox was required. I dont know if I will even attempt to update them ever. Since they drive InDesign, it was too much of a pain to even contemplate sandbox; even if I did it would probably require one of those “special exemptions”. If I turned on any sandboxing, nothing worked (that was in Lion).

But I’ve decided I’m gonna be a luddite and stick with Snow Leopard for as long as possible at home. There are no things in L/ML that I desired to use. Except if they ever drop SL from running iTunes and new phones/pads won’t work; maybe. :confused:

Hi All,

FWIW, one of my ASOC image apps is now sandboxed and accepted in the App Store. So it is possible but very limited.

It took 3 rejections and resubmissions - I guess I did it just to see if it was possible.

The other app uses Photoshop to do the image stuff and was rejected. From what tech support told me, you can’t have another app accessing your chosen files within your sandbox. But. this one uses sips (another app) to do just that. But sips is working via “do shell script” whereas Photoshop was via apple events and that seems to definitely not work. I did a test with TextEdit and no deal there either. So It may not be possible to use apple events to control other apps in the sandbox at all at least where files are involved.

They told me I couldn’t use a temporary entitlement for com.apple.finder so forget about basic AS finder stuff. Luckily there is almost always a foundation equivalent in ASOC. So the temporary entitlements they will pick at. They did allow com.apple.imageevents…

I couldn’t specify any particular directories such as /Desktop/ for temporary file entitlements. All open and save must be done at run time via drag and drop or open/save. I used security scoped bookmarks to save source and destination paths to disk and they seem to retain their privileges after relaunch which is kind of cool.

I expected them to reject on the the console errors ( in previous listing ) denying read /write for the AS scripts themselves in the bundle. But they didn’t? An Oversight? I did start to get the feeling that it could depend on who reviews your app if they accept certain things or your explanation of what should be allowed for a given use.

Back to non App Store freedom.

Cheers, Rob

Hi All,

FWIW #2.

Well, I was wrong about ASOC and sandbox when trying to open a file with another app. It works!

Developer Tech person told me that the error I was getting from Photoshop meant you couldn’t “tell” Photoshop to open a file of your choosing since another app wouldn’t have permission to open a file which belongs to your container.

We went back and forth a few times. Then I remembered seeing an example of the entitlements for using image events and the entitlement was all lowercase, com.apple.imageevents.

I had entered bundle id com.adobe.Photoshop which is of course the name of the plist file in Preferences. I tried com.adobe.photoshop instead and now everything works perfectly inside sandbox. As long as the user picks the file, or drags it in to select it, you can pass that to Photoshop or TextEdit or whatever app for opening and can also save the file to location which also has to be user selected or from save dialog etc. I added security scoped bookmarks which save the urls for the next launch and they retain their container status.

So it actually is pretty easy to sandbox an ASOC app and use apple events to work with other apps. So always lowercase on your entitlement strings!

Cheers, Rob