sandboxd: deny file-write-unlink messages - Githubissues

ronaldoussoren / py2app

py2app is a Python setuptools command which will allow you to make standalone Mac OS X application bundles and plugins from Python scripts.

Other

350 stars 35 forks source link

sandboxd: deny file-write-unlink messages #101

Closed ronaldoussoren closed 10 years ago

ronaldoussoren commented 11 years ago

Original report by George Henne (Bitbucket: ghenne, GitHub: ghenne).

After creating a .pkg file with the app created by py2app, I get a series of messages like this when I install the pkg and run the app:

3/9/13 2:15:48.388 PM sandboxd: ([3841]) AppStudio(3841) deny file-write-unlink /Applications/AppStudio.app/Contents/Resources/lib/python2.7/email/__init__.pyc

Our app doesn't do any unlinking, so my guess it that py2app is doing something to cause this. We do import email.generator.

This only seems to happen on a system with the Python dev chain installed. On a clean system, the errors do not show.

ronaldoussoren commented 11 years ago

Original comment by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren).

I haven't researched this yet, but my gut feeling is that this is the automatic compilation of .py files to .pyc files by the interpreter.

If I'm right the attached patch will fix the issue (but only after rebuilding the stub executables, for which I'll have to boot my OSX 10.6 VM).

ronaldoussoren commented 11 years ago

Original comment by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren).

It would also be better to ensure that the entire app bundle is read only, apps should not write to files in their bundle in the first place.

That change would not be backward compatible and would likely break some applications, and that means I'll have to introduce this in stages.

ronaldoussoren commented 11 years ago

Original comment by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren).

BTW. Are you using /usr/bin/python?

If you are you've found another bug as well: py2app shouldn't have copied parts of the stdlib of /usr/bin/python into the app bundle in the first place.

ronaldoussoren commented 11 years ago

Original comment by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren).

Changeset ec3e4051affc (branch-0.7) fixes part of the problem: with that patch py2app will no longer copy the email package into the app bundle when using /usr/bin/python.

ronaldoussoren commented 11 years ago

Original comment by George Henne (Bitbucket: ghenne, GitHub: ghenne).

I'm building cleanly now, so I'm going hold off on changes to my build chain until I do an actual submission to the Mac App Store.

I change the entire .app to read only before I do the code signing and productbuild.

chmod -R a+xr AppStudio.app

ronaldoussoren commented 11 years ago

Original comment by Falkor Systems, Inc. (Bitbucket: FalkorSystems, GitHub: FalkorSystems).

This did not fix my yaml deny file-write-unlink problem, but it's not fatal so I'm not going to worry about it.

ronaldoussoren commented 10 years ago

Original comment by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren).

Should be fixed in the upcoming release.