Lion sandboxing (was: RE: efence patch for darwin)
Jeff Johnson
n3npq at mac.com
Tue Apr 26 07:15:23 PDT 2011
On Apr 26, 2011, at 10:00 AM, Russell Jones wrote:
>> That is neither a good or bad thing that its impossible to convert.
> I'm not sure on what basis you conclude it's impossible, though you're likely right.
>
> It is not a really, really bad thing, no, but it does mean that we can't make use a load of work that's already been done in terms of profiling what applications are supposed to do, which is a bit of a shame.
If you're interested, the essential ingredient is the kernel
support, and (at least historically) Robert Watson and trusted BSD
are the likely entry points to answering the issues specifically
about what is "possible".
There have been connection points between the various proposed
security frameworks, and there has been work with SElinux on *BSD
kernels (so I was told when I asked essentially the question you
asked back in ~2005).
But "possible" is not bloody likely, and there's a plethora of security
schemes around, so many and so complex that I'm not at all sure that
"SELinux" and "AppArmor" are anything other than "brands" rather than
actual honest-to-gawd security engineering "product".
And I'm still patiently waiting to see Lion "sandboxing" on my lappie ...
73 de Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4645 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20110426/b4418ddd/attachment.bin>
More information about the macports-dev
mailing list