MacPorts and sandboxing
Joshua Root
jmr at macports.org
Wed Sep 26 14:31:39 PDT 2012
On 2012-9-27 05:12 , Clemens Lang wrote:
> On Thu, Sep 27, 2012 at 02:24:44AM +1000, Joshua Root wrote:
>> % sandbox-exec -p '(version 1) (allow default) (deny file* (subpath
>> "/usr/local") (subpath "/Library/Frameworks"))' gcc test.c
>> cc1: error: /usr/local/include: Operation not permitted
>> cc1: error: /Library/Frameworks: Operation not permitted
>
> Ideally, the sandboxing could just pretend /usr/local wasn't there to
> begin with? Just denying access unfortunately isn't of any use to us.
Clang actually doesn't fail because of this. But who knows what else is
going to treat it as a fatal error like gcc.
I guess messing with the reported contents of otherwise accessible
directories is more complicated than just denying or allowing access.
Still, it seems like EACCES rather than EPERM might have been more
compatible? Too late for anything before 10.8 to be changed now though.
- Josh
More information about the macports-dev
mailing list