site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Yep. Cheers, -- Jacques _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On Jun 19, 2009, at 9:47 AM, Todd Heberlein wrote: You can accomplish your example by using Sandbox in Leopard and later releases. It provides a flexible mechanism for defining what operating system resources a process may or may not obtain. Unfortunately, that mechanism is not API, and may change from release to release. I though Apple's sandbox was a "voluntary" thing, where the application chooses to sandbox itself, and if it doesn't call the sandbox APIs itself, then no sandboxing. (???) That’s correct, but the sandbox is inherited. Therefore, a parent can force its child into the sandbox. $ sandbox-exec -p '(version 1) (allow default) (deny file-read* file-write* (regex #"^/private/etc/p"))' zsh So it looks like you are putting zsh in a sandbox, and then wc just inherits that sandbox when it is launched from zsh. Is that correct? This email sent to site_archiver@lists.apple.com