I'm developing a TTS Audio Unit Extension that needs to write trace/log files to a shared App Group container. While the main app can successfully create and write files to the container, the extension gets sandbox denied errors despite having proper App Group entitlements configured.
Setup:
- Main App (Flutter) and TTS Audio Unit Extension share the same App Group
- App Group is properly configured in developer portal and entitlements
- Main app successfully creates and uses files in the container
- Container structure shows existing directories (config/, dictionary/) with populated files
- Both targets have App Group capability enabled and entitlements set
Current behavior:
- Extension can access/read the App Group container
- Extension can see existing directories and files
- All write attempts are blocked with "sandbox deny(1) file-write-create" errors
Code example:
const char* createSharedGroupPathWithComponent(const char* groupId, const char* component) { NSString* groupIdStr = [NSString stringWithUTF8String:groupId]; NSString* componentStr = [NSString stringWithUTF8String:component]; NSURL* url = [[NSFileManager defaultManager] containerURLForSecurityApplicationGroupIdentifier:groupIdStr]; NSURL* fullPath = [url URLByAppendingPathComponent:componentStr]; NSError *error = nil; if (![[NSFileManager defaultManager] createDirectoryAtPath:fullPath.path withIntermediateDirectories:YES attributes:nil error:&error]) { NSLog(@"Unable to create directory %@", error.localizedDescription); } return [[fullPath path] UTF8String]; }
Error output:
Sandbox: simaromur-extension(996) deny(1) file-write-create /private/var/mobile/Containers/Shared/AppGroup/36CAFE9C-BD82-43DD-A962-2B4424E60043/trace
Key questions:
- Are there additional entitlements required for TTS Audio Unit Extensions to write to App Group containers?
- Is this a known limitation of TTS Audio Unit Extensions?
- What is the recommended way to handle logging/tracing in TTS Audio Unit Extensions?
- If writing to App Group containers is not supported, what alternatives are available?
Current entitlements:
<dict> <key>com.apple.security.application-groups</key> <array> <string>group.com.<company>.<appname></string> </array> </dict>