Re: File regular expression matching in KAuth
Re: File regular expression matching in KAuth
- Subject: Re: File regular expression matching in KAuth
- From: Jacques Vidrine <email@hidden>
- Date: Fri, 19 Jun 2009 09:58:01 -0700
On Jun 19, 2009, at 9:47 AM, Todd Heberlein wrote:
You can accomplish your example by using Sandbox in Leopard and
later releases. It provides a flexible mechanism for defining what
operating system resources a process may or may not obtain.
Unfortunately, that mechanism is not API, and may change from
release to release.
I though Apple's sandbox was a "voluntary" thing, where the
application chooses to sandbox itself, and if it doesn't call the
sandbox APIs itself, then no sandboxing. (???)
That’s correct, but the sandbox is inherited. Therefore, a parent can
force its child into the sandbox.
$ sandbox-exec -p '(version 1) (allow default) (deny file-read*
file-write* (regex #"^/private/etc/p"))' zsh
So it looks like you are putting zsh in a sandbox, and then wc just
inherits that sandbox when it is launched from zsh. Is that correct?
Yep.
Cheers,
--
Jacques _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden