site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Todd _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... You can accomplish your example by using Sandbox in Leopard and later releases. It provides a flexible mechanism for defining what operating system resources a process may or may not obtain. Unfortunately, that mechanism is not API, and may change from release to release. I though Apple's sandbox was a "voluntary" thing, where the application chooses to sandbox itself, and if it doesn't call the sandbox APIs itself, then no sandboxing. (???) $ sandbox-exec -p '(version 1) (allow default) (deny file-read* file- write* (regex #"^/private/etc/p"))' zsh So it looks like you are putting zsh in a sandbox, and then wc just inherits that sandbox when it is launched from zsh. Is that correct? This email sent to site_archiver@lists.apple.com