FlickrExport thus didn’t find its preferences. It lost its Flickr API token, thought I hadn’t purchased, and lost my preferences for which keywords to hide. I re-added these, but it wasn’t until after I’d uploaded a set that I realized I had forgotten to re-enable the preferences to save the Flickr ID and URL back to Aperture. Thus, the options to replace photos and update metadata didn’t work until I’d copied and pasted all the photo IDs from the Web site. In retrospect, I should have moved the preferences file to the new location right after updating Aperture. Of course, I would have if I had known then that it was sandboxed.
Knowing a bit about how Aperture works, I wondered how some of its features could be made to work in the App Sandbox. The answer is that Apple plays by different rules. For example, my copy of Aperture isn’t from the Mac App Store, but it has access to iCloud. Third-party applications need to use clunky UI workarounds and security-scoped bookmarks to access files outside of a document package; Apple simply gives Aperture a
com.apple.security.temporary-exception.files.absolute-path.read-write entitlement with value
/, i.e. read-write access to the entire filesystem. Aperture also makes use of
com.apple.security.temporary-exception.sbpl, which Daniel Jalkut noted is the Big Red Button.
Also note that, aside from “com.apple.PhotoApps.AVCHDConverter.xpc” (presumably a codec), Aperture does not use XPC services for privilege separation. The main Aperture application has full hard drive access, as well as being a network client, a network server, and all the rest.
With so many entitlements and temporary exceptions, it doesn’t seem like “sandboxing” Aperture in this way provides many security benefits. Aperture isn’t protected from bugs in itself. And a malicious plug-in could read my address book (or, indeed, any file on my hard drive) and upload it over the network. However, it does restrict what plug-ins can do a bit. For example, Aperture has temporary exceptions for sending Apple events to Mail and iTunes; other event targets are forbidden. This means, for example, that you can no longer write a plug-in that integrates Aperture with Photoshop or Acorn.
Here’s the full list of Aperture 3.4 entitlements:
icarus$ codesign -d --entitlements - /Applications/Aperture.app|bbedit Executable=/Applications/Aperture.app/Contents/MacOS/Aperture <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>F9L2L89K5X.com.apple.Aperture</string> <key>com.apple.private.icloud-account-access</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.assets.movies.read-write</key> <true/> <key>com.apple.security.assets.music.read-only</key> <true/> <key>com.apple.security.assets.pictures.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.library-repair.extensions</key> <array> <string>photolibrary</string> <string>aplibrary</string> </array> <key>com.apple.security.library-repair.ostype</key> <array> <string>iPlb</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.personal-information.addressbook</key> <true/> <key>com.apple.security.print</key> <true/> <key>com.apple.security.temporary-exception.apple-events</key> <array> <string>com.apple.mail</string> <string>com.apple.itunes</string> </array> <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <string>/</string> <key>com.apple.security.temporary-exception.mach-lookup.global-name</key> <array> <string>com.apple.photostream-agent</string> </array> <key>com.apple.security.temporary-exception.mach-lookup.global-name:before:10.8</key> <array> <string>com.apple.AOSNotification-FMM</string> </array> <key>com.apple.security.temporary-exception.sbpl</key> <string> (begin (allow file-search) (allow ipc-posix-sem) (allow system-fsctl)) </string> <key>com.apple.security.temporary-exception.shared-preference.read-only</key> <array> <string>com.apple.iPhoto</string> </array> <key>com.apple.security.temporary-exception.shared-preference.read-write</key> <array> <string>com.apple.Aperture</string> <string>com.apple.iApps</string> <string>com.apple.iLifePhotoStream</string> <string>com.apple.iLifeAssetManagement.agent</string> <string>com.apple.iLifeAssetManagement.crash</string> <string>com.apple.iLifePhotoStream.importstatus</string> <string>MobileMeAccounts</string> <string>com.apple.ImageCapture2</string> <string>com.apple.mcxprinting</string> </array> </dict> </plist>
Stay up-to-date by subscribing to the Comments RSS Feed for this post.