[Openmcl-devel] Lisp in Leopard

Terje Norderhaug terje at in-progress.com
Tue Oct 30 09:39:50 PDT 2007


On Oct 30, 2007, at 6:27 AM, Bill St. Clair wrote:
> In reading John Siracusa's review of Leopard (
> http://arstechnica.com/reviews/os/mac-os-x-10-5.ars/ ), I encountered
> a reference to the sandbox definitions in /usr/share/sandbox .
> Interestingly, to this lisp weenie, they're encoded in lisp-like
> syntax.

"Leopard sandboxes are flexible and interesting. They’re apparently  
compiled from Scheme programs (sandbox-compilerd embeds TinyScheme)  
that live in /usr/share/sandbox. You can break sandbox-compilerd open  
in TextEdit and read the compiled-in Scheme code;"

http://www.matasano.com/log/981/a-roundup-of-leopard-security-features/

> For example, here's /usr/share/sandbox/bsd.sb :
>
> ;;
> ;; common rules for various BSD daemons
> ;; Copyright (c) 2007 Apple Inc.  All Rights reserved.
> ;;
> ;; WARNING: The sandbox rules in this file currently constitute
> ;; Apple System Private Interface and are subject to change at any  
> time and
> ;; without notice. The contents of this file are also auto- 
> generated and not
> ;; user editable; it may be overwritten at any time.
> ;;
> (version 1)
>
> (debug deny)
>
> (define (bsd.traverse-symlinks)
>   (allow file-read-metadata))
>
> (define (bsd.dylibs-and-frameworks)
>   (allow file-read-data file-write-data
>     (regex
>       ; Allow files accessed by system dylibs and frameworks
>       #"^/dev/null$"
>       #"^(/private)?/var/run/syslog$"
>       #"^/dev/u?random$"
>       #"^/dev/dtracehelper$"
>       #"/\.CFUserTextEncoding$"
>       #"^(/private)?/etc/localtime$"
>       #"^/usr/share/nls/"
>       #"^/usr/share/zoneinfo/"))
>
>   (allow file-read-data file-read-metadata
>     (regex
>       ; Allow reading system dylibs and frameworks
>       #"^/usr/lib/.*\.dylib$"
>       #"^/System/"))
>
>   (allow ipc-posix-shm) ; Libnotify
> )
>
> (bsd.traverse-symlinks)
> (bsd.dylibs-and-frameworks)
> _______________________________________________
> Openmcl-devel mailing list
> Openmcl-devel at clozure.com
> http://clozure.com/mailman/listinfo/openmcl-devel
>





More information about the Openmcl-devel mailing list