How to write data to a file outside sandbox

In the adef file, I have added the following:


    /home/root/data.txt /tmp/



In the source code, I tried the following:

[code]#include "legato.h"
FILE* fh;

FILE *f;

fh = fopen("/tmp/data.txt", "r");

//read line by line
const size_t line_size = 300;
char* line = malloc(line_size);
while (fgets(line, line_size, fh) != NULL)  {

f = fopen("/tmp/data.txt", "w");
LE_INFO("jyi here3. f=%d",(int)f);
	if (f!=NULL)

		fprintf(f, "\nabcd \r\n");



It is OK to read the data from a file outside sandbox.
However it is not OK to open the file pointer with “w”.
I am using legato version 16.01.4 on AR75xx.

Any idea?


I also have a similar need to write to a named pipe outside of the sandbox.
Unfortunately, it is not working for me.
Did you find a way to do it ?


I’m also stuck with the same. Please share a solution if you’ve found any.

From the legato documentation:

Even though the file system object appears in the app’s sandbox it still needs permissions settings on the file. File permissions (both DAC and MAC) and ownership (group and user) on the original file in the target system remain in effect inside the sandbox.

The two tools for managing permissions are chmod (DAC) and xattr (MAC). I’m not sure of the exact settings that would be required to allow for writing from inside a sandbox. Do you have another sandboxed app that will be reading the file as well?

Did anybody had success in writing a file and shareing it between multiple processes?


Any news on this problem ?
I have the same issue.

Reading is OK but writting is not. I’m trying to change the permissions in .adef file to “[rw]” like this :
[rw] /mnt/flash/test/data.csv /usr/share/

I have this error in return : error: Invalid character ‘[’ in file path.

I found in the doc here :

Access permissions aren’t implemented yet. For now, everything that gets installed in the application’s “bin” directory on target gets “rx” permission, and all other files get “r” while all directories get “rx”.

Does that means that it’s not possible at all ?

Dylan Lemasson

The file’s original owner always owns the file. The best way to share files between application is to have one “provider” application that will open a file and share the file handle to other applications that want to access the file over IPC using the “file” type in API files ( Once the clients get the file handle from the provider, they can use read(), write() using the file handle.
Hope this helps

Hi Alegato,

Thanks for the reply.
Do you have any sample code to show how it works ?
The provider app still have to be allowed to write in the file. Or it has to create the file from scratch, then give access to other apps ?

Dylan Lemasson

Hi Dylan
The provider should own the file. Basically SMACK attributes get set so that only the creator has write access to the file. When you use “file” type, the supervisor updates the attributes so that the client who is provided access to the file handle can write to it as well. You can externally use “xattr” to change the SMACK attributes, but this is cumbersome and your application will have to be un-sandboxed which defeats the sand boxing concept.
FileSharing.7z (3.8 KB)
I’ve attached a simple application to illustrate the concept. I’ve not tried it in a while so please pardon any compilation errors.

Hi A,

That’s very helpful thank you :slight_smile:
I was able to write a file with your code. For now, I only have one app with everything in it, I like the use of API file to separate differents tasks in multiple apps like you did. It’s more resilient against crashes… I’m still struggling with missing bindings in adef files though.

The file is created by defaut on the target here :

Is there a way to choose a folder to save the file outside the app file system ? Otherwise, if I reboot the device/app the file will be deleted.


That’s a limitation that’s being addressed and should be available from Legato 18.09. For now, what you can do is create files before hand in the directory that is outside the sandbox. The files will be available in the sandbox and you can write to them. Hope it helps.

1 Like

Hi Alegato,
Could you please elaborate your answer a bit more? I’ve tried to create file outside sandbox and give app access to it in adef file, but it still says that my file is read only


Even though the file system object appears in the app’s sandbox it still needs permissions settings on the file. File permissions (both DAC and MAC) and ownership (group and user) on the original file in the target system remain in effect inside the sandbox.

Each sandboxed application runs as a separate user. You’ll have to set the permission so that your sand boxed application can write to the file. In my case, the app names is “HelloWorld”. You can get the app name from “app list”

root@swi-mdm9x28-wp:~# echo 2 > hello.txt
root@swi-mdm9x28-wp:~# chmod o+w hello.txt
root@swi-mdm9x28-wp:~# xattr set ‘security.SMACK64’ ‘app.HelloWorldrwx’ hello.txt
root@swi-mdm9x28-wp:~# xattr get hello.txt
name=security.SMACK64; value=app.HelloWorldrwx

Run your sand boxed application

root@swi-mdm9x28-wp:~# cat hello.txt