[Openmcl-devel] Lisp in Leopard
Terje Norderhaug
terje at in-progress.com
Tue Oct 30 09:39:50 PDT 2007
On Oct 30, 2007, at 6:27 AM, Bill St. Clair wrote:
> In reading John Siracusa's review of Leopard (
> http://arstechnica.com/reviews/os/mac-os-x-10-5.ars/ ), I encountered
> a reference to the sandbox definitions in /usr/share/sandbox .
> Interestingly, to this lisp weenie, they're encoded in lisp-like
> syntax.
"Leopard sandboxes are flexible and interesting. They’re apparently
compiled from Scheme programs (sandbox-compilerd embeds TinyScheme)
that live in /usr/share/sandbox. You can break sandbox-compilerd open
in TextEdit and read the compiled-in Scheme code;"
http://www.matasano.com/log/981/a-roundup-of-leopard-security-features/
> For example, here's /usr/share/sandbox/bsd.sb :
>
> ;;
> ;; common rules for various BSD daemons
> ;; Copyright (c) 2007 Apple Inc. All Rights reserved.
> ;;
> ;; WARNING: The sandbox rules in this file currently constitute
> ;; Apple System Private Interface and are subject to change at any
> time and
> ;; without notice. The contents of this file are also auto-
> generated and not
> ;; user editable; it may be overwritten at any time.
> ;;
> (version 1)
>
> (debug deny)
>
> (define (bsd.traverse-symlinks)
> (allow file-read-metadata))
>
> (define (bsd.dylibs-and-frameworks)
> (allow file-read-data file-write-data
> (regex
> ; Allow files accessed by system dylibs and frameworks
> #"^/dev/null$"
> #"^(/private)?/var/run/syslog$"
> #"^/dev/u?random$"
> #"^/dev/dtracehelper$"
> #"/\.CFUserTextEncoding$"
> #"^(/private)?/etc/localtime$"
> #"^/usr/share/nls/"
> #"^/usr/share/zoneinfo/"))
>
> (allow file-read-data file-read-metadata
> (regex
> ; Allow reading system dylibs and frameworks
> #"^/usr/lib/.*\.dylib$"
> #"^/System/"))
>
> (allow ipc-posix-shm) ; Libnotify
> )
>
> (bsd.traverse-symlinks)
> (bsd.dylibs-and-frameworks)
> _______________________________________________
> Openmcl-devel mailing list
> Openmcl-devel at clozure.com
> http://clozure.com/mailman/listinfo/openmcl-devel
>
More information about the Openmcl-devel
mailing list