Cannot write to ClientOnionAuthDir when Sandbox is enabled

Summary

When tor has the sandbox option enabled it cannot write to the ClientOnionAuthDir directory to store onion auth keys, e.g. when checking the "Remember this key" checkbox in Tor Browser when providing the key.

Steps to reproduce:

1. Configure tor with Sandbox 1
2. Configure tor with ClientOnionAuthDir /some/writable/directory
3. Use Tor Browser to access an onion service with onion authentication
4. Check the "Remember this key" checkbox when providing the key

What is the current bug behavior?

The onion auth prompt in Tor Browser reports "Unable to store creds for ...", and no key is written to the ClientOnionAuthDir directory.

What is the expected behavior?

No errors, and the key should be written to the ClientOnionAuthDir directory.

Environment

• Tor version 0.4.7.13
• Tested both on Debian Sid and inside Tails with tor installed via apt

Relevant logs and/or screenshots

Jun 02 13:04:02.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/keys/n7wwn7f4jirk2yaukobahoane722lnvi7d65emwj4toas7uf5oaomdyd.auth_private.tmp (on Tor 0.4.7.13 )
Jun 02 13:00:25.000 [warn] Couldn't open "/var/lib/tor/keys/n7wwn7f4jirk2yaukobahoane722lnvi7d65emwj4toas7uf5oaomdyd.auth_private.tmp" (/var/lib/tor/keys/n7wwn7f4jirk2yaukobahoane722lnvi7d65emwj4toas7uf5oaomdyd.auth_private) for writing: Operation not permitted
Jun 02 13:00:25.000 [warn] Failed to write client auth creds file for n7wwn7f4jirk2yaukobahoane722lnvi7d65emwj4toas7uf5oaomdyd!

Possible fixes

Update the sandbox rules.