[MacPorts] #39850: Sandbox denies access when prefix/portdbpath not normalised

[MacPorts]

#39850: Sandbox denies access when prefix/portdbpath not normalised
-------------------------+----------------------------
  Reporter:  jwhowse4@…  |      Owner:  cal@…
      Type:  defect      |     Status:  closed
  Priority:  Normal      |  Milestone:  MacPorts 2.3.0
 Component:  base        |    Version:  2.2.0
Resolution:  fixed       |   Keywords:
      Port:              |
-------------------------+----------------------------

Comment (by keybounce@…):

 Oh wow ...

 First: There's a much better sample set of profiles:
 /System/Library/Sandbox/Profiles

 Second: What kind of scheme is apple plotting?

 {{{
 (define (legacy-entitlement ls)
   (let loop ((ls ls))
     (if (null? ls) #f
         (let ((entry (assoc (car ls) *entitlements*)))
           (if entry (cdr entry)
               (loop (cdr ls)))))))
 }}}

 (Is it full lisp/scheme? What dialect? Does this mean that any time a
 program attempts to run, a different program is run before it to modify
 its execution environment? Can you just imagine the infection vector this
 can provide?)

 Third: sandbox-simplify: That command is not referenced from sandbox,
 sandboxd, sandbox-exec, etc -- yet it speaks volumes.

 Fourth: It looks like making symbolic links work is as simple as
 mentioning it in a
 {{{
 (allow file-read-metadata
        (literal "/etc")
        (literal "/tmp")
 ...
 }}}
 block.

 Fifth: I wonder if it's possible to make a system-specific version of
 system.sb or application.sb (normally in that /System directory) and solve
 all of these issues, even for Apple software updates ... (would be
 wonderful for getting stuff that does not belong on root off of it.)

-- 
Ticket URL: <https://trac.macports.org/ticket/39850#comment:75>
MacPorts <http://www.macports.org/>
Ports system for OS X