Sandboxed applications fail to mount NFS using NetFSMountURLSync

Mounting NFS to the application's own container directory using NetFSMountURLSync failed.

Mounted to /Users/li/Library/Containers/com.xxxxx.navm.MyNavm/Data/Documents/NFSMount Do sandbox applications not allow mounting NFS cloud storage?

code: // 1. NFS 服务器 URL（指定 NFSv3） let urlString = "nfs://192.168.64.4/seaweed?vers=3&resvport&nolocks&locallocks&soft&intr&timeo=600"

        guard let nfsURL = URL(string: urlString) else {
            os_log("❌ 无效的 URL: %@", log: netfsLog, type: .error, urlString)
            return
        }
        
        // 2. 挂载点（必须在沙盒容器内）
        let fileManager = FileManager.default
        guard let documentsURL = fileManager.urls(for: .documentDirectory, in: .userDomainMask).first else {
            os_log("❌ 无法获取 Documents 目录", log: netfsLog, type: .error)
            return
        }
        let mountPointURL = documentsURL.appendingPathComponent("NFSMount", isDirectory: true)
        
        // 创建挂载点目录
        do {
            try fileManager.createDirectory(at: mountPointURL, withIntermediateDirectories: true, attributes: nil)
            os_log("✅ 挂载点目录已准备: %@", log: netfsLog, type: .info, mountPointURL.path)
        } catch {
            os_log("❌ 创建挂载点目录失败: %@", log: netfsLog, type: .error, error.localizedDescription)
            return
        }
        
        // 3. 挂载选项（使用 NSMutableDictionary 以匹配 CFMutableDictionary）
        let mountOptions = NSMutableDictionary()
        // 如果需要，可以添加选项，例如：
        // mountOptions[kNetFSNoUserAuthenticationKey as String] = true
        
        // 4. 调用 NetFSMountURLSync
        var mountPoints: Unmanaged<CFArray>? = nil
        let status = NetFSMountURLSync(
            nfsURL as CFURL,
            mountPointURL as CFURL,
            nil,  // user
            nil,  // password
            nil,  // open_options
            mountOptions,  // 直接传递 NSMutableDictionary，自动桥接为 CFMutableDictionary
            &mountPoints
        )

log:

0 sandboxd: (TCC) [com.apple.TCC:cache] REMOVE: (kTCCServiceSystemPolicyAppData, <Credential (0x7ed0b4230) | Audit Token, 42834.109774/501>) 2026-03-03 21:38:27.656702+0800 0x2de8d8 Info 0x867e9d 408 0 sandboxd: (TCC) [com.apple.TCC:cache] SET: (kTCCServiceSystemPolicyAppData, <Credential (0x7ed0b4230) | Audit Token, 42834.109774/501>) -> <Authorization Record (0x7ecca8180) | Service: kTCCServiceSystemPolicyAppData, AuthRight: Unknown, Reason: None, Version: 1, Session pid: 42832, Session pid version: 109769, Boot UUID: 7DDB03FC-132C-4E56-BA65-5C858D2CC8DD, > 2026-03-03 21:38:27.656753+0800 0x2de8d8 Default 0x867e9d 408 0 sandboxd: (libxpc.dylib) [com.apple.xpc:connection] [0x7ecc88640] invalidated after the last release of the connection object 2026-03-03 21:38:27.656772+0800 0x2de8d8 Debug 0x867e9b 408 0 sandboxd: (TCC) [com.apple.TCC:access] disposing: 0x7ecc3aa80(OS_tcc_message_options) 2026-03-03 21:38:27.656779+0800 0x2de8d8 Debug 0x867e9b 408 0 sandboxd: (TCC) [com.apple.TCC:access] disposing: 0x7ecc44820(OS_tcc_server) 2026-03-03 21:38:27.656788+0800 0x2de8d8 Info 0x867e9b 408 0 sandboxd: [com.apple.sandbox:sandcastle] kTCCServiceSystemPolicyAppData would require prompt by TCC for mount_nfs