MacPorts and sandboxing
Arno Hautala
arno at alum.wpi.edu
Thu Sep 27 11:45:18 PDT 2012
What about other options like chroot? Would it be possible to build
within a chrooted environment? Maybe that would be too heavy in having
to copy all dependencies to the chroot.
Maybe switch the macports prefix to /opt/local/chroot, move everything
in there (building, installing, etc), and then create links in the
/opt/local prefix upon activaton. Or something like FreeBSD's jails
where the /opt/local prefix could be mounted within the jail.
Or would that break libraries? I could imagine all sorts of problems
with absolute paths. Though maybe that could be solved by having the
system /opt/local mounted at the jail's /opt/local.
On Thu, Sep 27, 2012 at 2:31 PM, Jordan K. Hubbard <jkh at apple.com> wrote:
> Yeah, and, after talking to the sandbox gurus at Apple last night it's
> pretty clear that sandboxing is fairly monomaniacal in its focus: It just
> wants to deny things. It doesn't want to hide, redirect or otherwise
> interpose filesystem / other operations, and given all of the complexities
> inherent in the other approaches, that makes sense. Rats. It would have
> been so much simpler if we could have figured out how to piggy-back on
> sandboxing.
--
arno s hautala /-| arno at alum.wpi.edu
pgp b2c9d448
More information about the macports-dev
mailing list