From d244304313f12d313dabbfacfb7ce72809b6d5c8 Mon Sep 17 00:00:00 2001
From: opa334 <opa334@users.noreply.github.com>
Date: Mon, 16 Jan 2023 22:25:48 +0100
Subject: [PATCH] Improve readme, add note about
 com.apple.private.security.storage.AppDataContainers

---
 README.md | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 04474aa..c80938d 100644
--- a/README.md
+++ b/README.md
@@ -64,17 +64,17 @@ iOS 15 on A12+ has banned the following three entitlements related to running un
 
 Your app can run unsandboxed using one of the following entitlements:
 
-```
+```xml
 <key>com.apple.private.security.container-required</key>
 <false/>
 ```
 
-```
+```xml
 <key>com.apple.private.security.no-container</key>
 <true/>
 ```
 
-```
+```xml
 <key>com.apple.private.security.no-sandbox</key>
 <true/>
 ```
@@ -83,13 +83,20 @@ The third one is recommended if you still want a sandbox container for your appl
 
 You might also need the platform-application entitlement in order for these to work properly:
 
-```
+```xml
 <key>platform-application</key>
 <true/>
 ```
 
 Please note that the platform-application entitlement causes side effects such as some parts of the sandbox becoming tighter, so you may need additional private entitlements to circumvent that. (For example afterwards you need an exception entitlement for every single IOKit user client class you want to access).
 
+In order for an app with `com.apple.private.security.no-sandbox` and `platform-application` to be able to access it's own data container, you might need the additional entitlement:
+
+```xml
+<key>com.apple.private.security.storage.AppDataContainers</key>
+<true/>
+```
+
 ### Root Helpers
 
 When your app is not sandboxed, you can spawn other binaries using posix_spawn, you can also spawn binaries as root with the following entitlement: