Sandboxed applications fail to mount NFS using NetFSMountURLSync

App & System Services Core OS
lsz OP
Created 2w
Replies 4
Boosts 0
Views 292
Participants 3

Mounting NFS to the application's own container directory using NetFSMountURLSync failed.

Mounted to /Users/li/Library/Containers/com.xxxxx.navm.MyNavm/Data/Documents/NFSMount Do sandbox applications not allow mounting NFS cloud storage?

code: // 1. NFS 服务器 URL(指定 NFSv3) let urlString = "nfs://192.168.64.4/seaweed?vers=3&resvport&nolocks&locallocks&soft&intr&timeo=600"

        guard let nfsURL = URL(string: urlString) else {
            os_log("❌ 无效的 URL: %@", log: netfsLog, type: .error, urlString)
            return
        }
        
        // 2. 挂载点(必须在沙盒容器内)
        let fileManager = FileManager.default
        guard let documentsURL = fileManager.urls(for: .documentDirectory, in: .userDomainMask).first else {
            os_log("❌ 无法获取 Documents 目录", log: netfsLog, type: .error)
            return
        }
        let mountPointURL = documentsURL.appendingPathComponent("NFSMount", isDirectory: true)
        
        // 创建挂载点目录
        do {
            try fileManager.createDirectory(at: mountPointURL, withIntermediateDirectories: true, attributes: nil)
            os_log("✅ 挂载点目录已准备: %@", log: netfsLog, type: .info, mountPointURL.path)
        } catch {
            os_log("❌ 创建挂载点目录失败: %@", log: netfsLog, type: .error, error.localizedDescription)
            return
        }
        
        // 3. 挂载选项(使用 NSMutableDictionary 以匹配 CFMutableDictionary)
        let mountOptions = NSMutableDictionary()
        // 如果需要,可以添加选项,例如:
        // mountOptions[kNetFSNoUserAuthenticationKey as String] = true
        
        // 4. 调用 NetFSMountURLSync
        var mountPoints: Unmanaged<CFArray>? = nil
        let status = NetFSMountURLSync(
            nfsURL as CFURL,
            mountPointURL as CFURL,
            nil,  // user
            nil,  // password
            nil,  // open_options
            mountOptions,  // 直接传递 NSMutableDictionary,自动桥接为 CFMutableDictionary
            &mountPoints
        )

log:

0 sandboxd: (TCC) [com.apple.TCC:cache] REMOVE: (kTCCServiceSystemPolicyAppData, <Credential (0x7ed0b4230) | Audit Token, 42834.109774/501>) 2026-03-03 21:38:27.656702+0800 0x2de8d8 Info 0x867e9d 408 0 sandboxd: (TCC) [com.apple.TCC:cache] SET: (kTCCServiceSystemPolicyAppData, <Credential (0x7ed0b4230) | Audit Token, 42834.109774/501>) -> <Authorization Record (0x7ecca8180) | Service: kTCCServiceSystemPolicyAppData, AuthRight: Unknown, Reason: None, Version: 1, Session pid: 42832, Session pid version: 109769, Boot UUID: 7DDB03FC-132C-4E56-BA65-5C858D2CC8DD, > 2026-03-03 21:38:27.656753+0800 0x2de8d8 Default 0x867e9d 408 0 sandboxd: (libxpc.dylib) [com.apple.xpc:connection] [0x7ecc88640] invalidated after the last release of the connection object 2026-03-03 21:38:27.656772+0800 0x2de8d8 Debug 0x867e9b 408 0 sandboxd: (TCC) [com.apple.TCC:access] disposing: 0x7ecc3aa80(OS_tcc_message_options) 2026-03-03 21:38:27.656779+0800 0x2de8d8 Debug 0x867e9b 408 0 sandboxd: (TCC) [com.apple.TCC:access] disposing: 0x7ecc44820(OS_tcc_server) 2026-03-03 21:38:27.656788+0800 0x2de8d8 Info 0x867e9b 408 0 sandboxd: [com.apple.sandbox:sandcastle] kTCCServiceSystemPolicyAppData would require prompt by TCC for mount_nfs

Replies  4
Boosts  0
Views  292
Participants  3
DTS Engineer OP
Apple
2w

I’m having trouble reading that log. Can you post another copy, this time formatting it as a code block?

If you’re not familiar with the code block format, there’s advice on that in tip 5 of Quinn’s Top Ten DevForums Tips.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
lsz OP
1w

System version: 26.2 (25C56) Xcode version: Version 26.2 (17C52) My attempt to mount to the /Volumes directory was also denied due to permissions. Providing the user with a mount point also resulted in permission denial.

detailed_log.log
simple log : 
默认	20:12:14.201225+0800	NetAuthSysAgent	Process 54430 is sandboxed and is allowed to mount a shared volume because it has the proper permissions.
默认	20:12:14.201351+0800	NetAuthSysAgent	Mount URL: request C78993FC-5F67-4D47-B394-23AEE1F33FF1 from MyNavm (54430)
默认	20:12:14.237651+0800	NetAuthSysAgent	GetServerInfo serverParamsDict = {
    NoMountAuthentication = 1;
    ServerDisplayName = "192.168.139.236";
    SupportsGuest = 0;
}
默认	20:12:14.266567+0800	NetAuthSysAgent	(31) /Applications/Mountain Duck.app
默认	20:12:14.267956+0800	NetAuthSysAgent	(31) /Applications/Mountain Duck.app
默认	20:12:14.269373+0800	NetAuthSysAgent	(31) /Applications/Mountain Duck.app
默认	20:12:14.270843+0800	NetAuthSysAgent	(31) /Applications/Mountain Duck.app
默认	20:12:14.271325+0800	NetAuthSysAgent	Calling Mount
默认	20:12:14.271343+0800	NetAuthSysAgent	    Mount point = /Users/li/Library/Containers/com.lishuangzhi.navm.MyNavm/Data/Documents/NFSMount
默认	20:12:14.279783+0800	tccd	AUTHREQ_ATTRIBUTION: msgID=408.1143, attribution={responsible={TCCDProcess: identifier=com.apple.NetAuthSysAgent, pid=54463, auid=501, euid=501, responsible_path=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent, binary_path=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent}, accessing={TCCDProcess: identifier=com.apple.mount_nfs, pid=54466, auid=501, euid=501, binary_path=/sbin/mount_nfs}, requesting={TCCDProcess: identifier=com.apple.sandboxd, pid=408, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
默认	20:12:14.308448+0800	tccd	AUTHREQ_ATTRIBUTION: msgID=408.1144, attribution={responsible={TCCDProcess: identifier=com.apple.NetAuthSysAgent, pid=54463, auid=501, euid=501, responsible_path=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent, binary_path=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent}, accessing={TCCDProcess: identifier=com.apple.mount_nfs, pid=54466, auid=501, euid=501, binary_path=/sbin/mount_nfs}, requesting={TCCDProcess: identifier=com.apple.sandboxd, pid=408, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
错误	20:12:14.318784+0800	kernel	System Policy: mount_nfs(54466) deny(1) file-mount /Users/li/Library/Containers/com.lishuangzhi.navm.MyNavm/Data/Documents/NFSMount/nfs_test
默认	20:12:14.319509+0800	NetAuthSysAgent	Mount failed 1
0
DTS Engineer OP
Apple
1w

That looks like a very straightforward sandbox violation. I think this is NFS specific, because my understanding is that other network file systems can be mounted within your app’s container. I’m going to consult with a colleague about this, but I suspect that this is ultimately going to end up being a bug report.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
1d

I’m going to consult with a colleague about this, but I suspect that this is ultimately going to end up being a bug report.

Yes. If you haven't already, please file a bug on this and the post the number back here. Once I've got the bug number, I'll follow up with the engineering team to see if there are any other options here.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

1
Sandboxed applications fail to mount NFS using NetFSMountURLSync
First post date Last post date
 
 
Q