Improve readme, add note about com.apple.private.security.storage.AppDataContainers

2025-11-04 15:42:35 +08:00 · 2023-01-16 22:25:48 +01:00 · 2023-01-16 22:25:48 +01:00 · d244304313
commit d244304313
parent d3305f1660
1 changed files with 11 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -64,17 +64,17 @@ iOS 15 on A12+ has banned the following three entitlements related to running un

 Your app can run unsandboxed using one of the following entitlements:

-```
+```xml
 <key>com.apple.private.security.container-required</key>
 <false/>
 ```

-```
+```xml
 <key>com.apple.private.security.no-container</key>
 <true/>
 ```

-```
+```xml
 <key>com.apple.private.security.no-sandbox</key>
 <true/>
 ```
@ -83,13 +83,20 @@ The third one is recommended if you still want a sandbox container for your appl

 You might also need the platform-application entitlement in order for these to work properly:

-```
+```xml
 <key>platform-application</key>
 <true/>
 ```

 Please note that the platform-application entitlement causes side effects such as some parts of the sandbox becoming tighter, so you may need additional private entitlements to circumvent that. (For example afterwards you need an exception entitlement for every single IOKit user client class you want to access).

+In order for an app with `com.apple.private.security.no-sandbox` and `platform-application` to be able to access it's own data container, you might need the additional entitlement:
+
+```xml
+<key>com.apple.private.security.storage.AppDataContainers</key>
+<true/>
+```
+
 ### Root Helpers

 When your app is not sandboxed, you can spawn other binaries using posix_spawn, you can also spawn binaries as root with the following entitlement: