- Joined
- Aug 11, 2012
- Messages
- 85
- Reaction score
- 1
- Points
- 8
- Location
- San Diego, CA
Where are some useful sandbox docs?
I have a wrapper for 'sudo' which calls this policy:
(version 1)
;; (debug deny)
(allow default)
(deny file-write*)
(allow file-write*
(regex
"^(/private)?/dev/"
"^(/private)?/tmp/"
"^(/private)?/var/tmp/"
"^/opt/remote"
))
(deny file-read* file-read-data
(regex
"^/Users"
"^/Volumes"
"^/Developer"
))
However, sudo doesn't work. Commenting out 'debug deny' got me this hint:
sandbox-exec(37760) deny forbidden-exec-sugid
For giggles, I tried:
(allow forbidden-exec-sugid)
That earned me:
sandbox-exec: line 4: unbound variable: forbidden-exec-sugid
I've been Googling for docs that explain all of the possible options but came up dry. The man pages sure don't help much.
I have a wrapper for 'sudo' which calls this policy:
(version 1)
;; (debug deny)
(allow default)
(deny file-write*)
(allow file-write*
(regex
"^(/private)?/dev/"
"^(/private)?/tmp/"
"^(/private)?/var/tmp/"
"^/opt/remote"
))
(deny file-read* file-read-data
(regex
"^/Users"
"^/Volumes"
"^/Developer"
))
However, sudo doesn't work. Commenting out 'debug deny' got me this hint:
sandbox-exec(37760) deny forbidden-exec-sugid
For giggles, I tried:
(allow forbidden-exec-sugid)
That earned me:
sandbox-exec: line 4: unbound variable: forbidden-exec-sugid
I've been Googling for docs that explain all of the possible options but came up dry. The man pages sure don't help much.