4

Since installing Mojave, I can no longer access ~/Library/Containers/com.apple.mail/Data/:

pse@Mithos:~$ ll ~/Library/Containers/com.apple.mail/Data/
ls: DataVaults: Operation not permitted

I've granted Full Access to Terminal in System Preferences, nevertheless the error message remains.

What makes this directory so special and how can I get access?

nohillside
  • 92,308
  • 39
  • 198
  • 242
  • did you restart after granting ? – Ruskes Sep 28 '18 at 18:38
  • 1
    @Buscar웃 No. But access to other directories beneath ~/Library works without issues, even those which haven't been accessible before granting Full Access to Terminal. – nohillside Sep 28 '18 at 18:45
  • Terminal.app isn't performing the access. Your shell is. Your system is working as designed. – Marc Wilson Oct 02 '18 at 18:08
  • 2
    @MarcWilson I'm sure it works that way. But according to that design the Full Access rights given to Terminal get propagated to all binaries run from within Terminal, including the shell. So something else is preventing access here. – nohillside Oct 05 '18 at 13:26

1 Answers1

2

The DataVaults directory has to do with entitlements. Access is prevented unless the owner of the entitlement grants the access. The entitlements for Mail.app can be listed as follows and provides an XML plist.

codesign -d --entitlements - /Applications/Mail.app/

At this time, the only other method to acquire access to the directory is to turn off SIP.

For more details on DataVaults see No Entry ⛔️: access controls in Mojave. The section on DataVaults starts off with

Introduced in later releases of High Sierra, and used more in Mojave, are folders to which only Apple’s software has even read access, DataVaults. My account here is largely based on comments generously provided here by an anonymous source, as these don’t appear to have been mentioned anywhere by Apple (not even at WWDC 2018), nor can I find other descriptions.

so it all seems to be kind of mystery still.

nohillside
  • 92,308
  • 39
  • 198
  • 242
Christopher
  • 994
  • 9
  • 17
  • Hmm, I see the entitlements for Mail.app, but where is the definition which prevents access by default? – nohillside Oct 06 '18 at 07:36
  • 1
    Even with "full disc access" configured, apps cannot access `rootless_mkdir` directories (a.k.a DataVaults) made by the app. – Christopher Oct 06 '18 at 14:35
  • 1
    LOL, googling `rootless_mkdir` just got me [this](https://mjtsai.com/blog/2018/09/10/mojaves-new-security-and-privacy-protections-face-usability-challenges/) which includes your (I assume) tweet on this. Is there anything in Apples documentation explaining this (didn't find it in the link from your answer)? – nohillside Oct 06 '18 at 14:42
  • No I don't tweet. No, I could not find anything either. I have ordered a copy of OS Internals to see what more I can learn, though. http://newosxbook.com/ – Christopher Oct 06 '18 at 23:21