New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS sandbox preventing games from creating save files. #707
Comments
What game in particular are you experiencing this with? Here's the current policy file for the macOS sandbox: https://github.com/itchio/itch/blob/v23/appsrc/constants/sandbox-policies/macos-template.ts |
Multiple games. I kinda had it with Autonauts a few versions ago and Strive for Power has it too along with a few others. Thx for the profile, I'll take a look at it. Maybe I see where the problem lies. I've written sandbox profiles myself in the past so I should be able to read it^^ |
yep. The problem is quite clear. There's no access to $HOME, which is where these apps try to save their files and create their folders to by default. and since they do not always implement a way to change the file-destination your stuck. |
That's the annoying bit - the sandbox is supposed to prevent access to $HOME (except the folders the game absolutely needs to function), because we don't want games to steal personal data. (Exceptions for trusted developers is on my roadmap but those wouldn't be subjected to the sandbox at all). I was hoping all games would save to As for As for |
well you could use access to sh and /usr/bin to start osascript and use that to gain access to the System Event Interface over applescript (osascript) with which you could start another sh without restrictions. That's actually a known exploit: https://www.coresecurity.com/content/apple-osx-sandbox-bypass What would you propose I do about those specific games? Write external sandbox profiles outside of itch? luckily those are free2play titles. |
Ah I see, unfortunately that sounds more like a bug on the Apple sandbox side than ours - as in, I'm sure if the osascript binary (if it's a binary) can open some port and send some data, they could do it without access to the osascript binary, so preventing that will not really close the hole.
For the end-user, the app should (it doesn't yet) allow disabling the sandbox for specific games, so that would solve your issue A fix for everyone would be for those games to write to |
the itch.io sandbox option does what it's supposed to do. It stops applications from accessing the system in ways not wanted by the user. Sadly this also sometimes means, the app cannot access the folders with the save-data or even create save-data.
Another problem arises through denied read permissions, which sometimes makes it impossible to navigate to folders form within the game where saving would be allowed.
The text was updated successfully, but these errors were encountered: