Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Note that this isn't "Mac's sandbox system", it's TCC. That's an important distinction to make, because apps that have opted into the proper App Sandbox can't do this... they don't even have the ability to display a prompt for direct access to Documents/.

With the App Sandbox, sandbox extensions are issues whenever you open a file using the file picker. They only last until the app is restarted.

A caveat is that you can save "Security Scoped bookmarks" (basically a signed base64 blob [1]) and pass that around to preserve access, but that isn't very common.

[1] https://www.mothersruin.com/software/Archaeology/reverse/boo...



Yes, TCC is what I meant, but my understanding is TCC is a platform wide sandboxing system?


TCC is a leaky shoot at limiting non-sandboxed apps permissions. The actual macOS sandbox is a different thing.

I would say that TCC is working as intended, unfortunately, with many obscure behaviors to avoid breaking existing apps.

It's even more unfortunate that a lot of apps that could be easily sandboxed aren't.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: