Issue #101 resolved

sandboxd: deny file-write-unlink messages

George Henne
created an issue

After creating a .pkg file with the app created by py2app, I get a series of messages like this when I install the pkg and run the app:

3/9/13 2:15:48.388 PM sandboxd: ([3841]) AppStudio(3841) deny file-write-unlink /Applications/

Our app doesn't do any unlinking, so my guess it that py2app is doing something to cause this. We do import email.generator.

This only seems to happen on a system with the Python dev chain installed. On a clean system, the errors do not show.

Comments (9)

  1. Ronald Oussoren repo owner

    I haven't researched this yet, but my gut feeling is that this is the automatic compilation of .py files to .pyc files by the interpreter.

    If I'm right the attached patch will fix the issue (but only after rebuilding the stub executables, for which I'll have to boot my OSX 10.6 VM).

  2. Ronald Oussoren repo owner

    It would also be better to ensure that the entire app bundle is read only, apps should not write to files in their bundle in the first place.

    That change would not be backward compatible and would likely break some applications, and that means I'll have to introduce this in stages.

  3. Ronald Oussoren repo owner

    BTW. Are you using /usr/bin/python?

    If you are you've found another bug as well: py2app shouldn't have copied parts of the stdlib of /usr/bin/python into the app bundle in the first place.

  4. George Henne reporter

    I'm building cleanly now, so I'm going hold off on changes to my build chain until I do an actual submission to the Mac App Store.

    I change the entire .app to read only before I do the code signing and productbuild.

    chmod -R a+xr
  5. Log in to comment