Re: File regular expression matching in KAuth
Re: File regular expression matching in KAuth
- Subject: Re: File regular expression matching in KAuth
- From: Todd Heberlein <email@hidden>
- Date: Fri, 19 Jun 2009 09:47:53 -0700
You can accomplish your example by using Sandbox in Leopard and
later releases. It provides a flexible mechanism for defining what
operating system resources a process may or may not obtain.
Unfortunately, that mechanism is not API, and may change from
release to release.
I though Apple's sandbox was a "voluntary" thing, where the
application chooses to sandbox itself, and if it doesn't call the
sandbox APIs itself, then no sandboxing. (???)
$ sandbox-exec -p '(version 1) (allow default) (deny file-read* file-
write* (regex #"^/private/etc/p"))' zsh
So it looks like you are putting zsh in a sandbox, and then wc just
inherits that sandbox when it is launched from zsh. Is that correct?
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden