• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: File regular expression matching in KAuth
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: File regular expression matching in KAuth

  • Subject: Re: File regular expression matching in KAuth
  • From: evaluador evaluador <email@hidden>
  • Date: Mon, 22 Jun 2009 17:47:15 +0200
I am implementing ACLs with KAuth in the file operation scope, and I would like to use regular expressions without having to implement they myself. The configuration for the ACLs need to match, for example /etc/p*....

2009/6/22 Michael Smith <email@hidden>

On Jun 22, 2009, at 12:02 AM, evaluador evaluador wrote:

That would work  from user space, but I need to go through kernel space with KAuth...

Kauth does not do what you're asking for, and the sandbox stuff is kernel-space.

Perhaps if you explained what you were actually trying to do, we could offer more help.

 = Mike


2009/6/19 Jacques Vidrine <email@hidden>
On Jun 19, 2009, at 9:47 AM, Todd Heberlein wrote:
You can accomplish your example by using Sandbox in Leopard and later releases.  It provides a flexible mechanism for defining what operating system resources a process may or may not obtain.  Unfortunately, that mechanism is not API, and may change from release to release.

I though Apple's sandbox was a "voluntary" thing, where the application chooses to sandbox itself, and if it doesn't call the sandbox APIs itself, then no sandboxing. (???)

That’s correct, but the sandbox is inherited.  Therefore, a parent can force its child into the sandbox.


$ sandbox-exec -p '(version 1) (allow default) (deny file-read* file-write* (regex #"^/private/etc/p"))' zsh

So it looks like you are putting zsh in a sandbox, and then wc just inherits that sandbox when it is launched from zsh. Is that correct?

Yep.

Cheers,
--
Jacques

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)

This email sent to email@hidden

--
Excellence in any department can be attained only by the labor of a lifetime; it is not to be purchased at a lesser price -- Samuel Johnson








 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: File regular expression matching in KAuth
      • From: Michael Smith <email@hidden>
References: 
 >File regular expression matching in KAuth (From: evaluador evaluador <email@hidden>)
 >Re: File regular expression matching in KAuth (From: Jacques Vidrine <email@hidden>)
 >Re: File regular expression matching in KAuth (From: Todd Heberlein <email@hidden>)
 >Re: File regular expression matching in KAuth (From: Jacques Vidrine <email@hidden>)
 >Re: File regular expression matching in KAuth (From: evaluador evaluador <email@hidden>)
 >Re: File regular expression matching in KAuth (From: Michael Smith <email@hidden>)

  • Prev by Date: Re: File regular expression matching in KAuth
  • Next by Date: Re: File regular expression matching in KAuth
  • Previous by thread: Re: File regular expression matching in KAuth
  • Next by thread: Re: File regular expression matching in KAuth
  • Index(es):
    • Date
    • Thread