Gmane -- Mail To News And Back Again

From: Bill St. Clair <wws <at> clozure.com>
Subject: Lisp in Leopard
Newsgroups: gmane.lisp.openmcl.devel
Date: 2007-10-30 13:27:03 GMT (1 year, 35 weeks, 2 days, 22 hours and 18 minutes ago)

In reading John Siracusa's review of Leopard (
http://arstechnica.com/reviews/os/mac-os-x-10-5.ars/ ), I encountered
a reference to the sandbox definitions in /usr/share/sandbox .
Interestingly, to this lisp weenie, they're encoded in lisp-like
syntax. For example, here's /usr/share/sandbox/bsd.sb :

;;
;; common rules for various BSD daemons
;; Copyright (c) 2007 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)

(debug deny)

(define (bsd.traverse-symlinks)
  (allow file-read-metadata))

(define (bsd.dylibs-and-frameworks)
  (allow file-read-data file-write-data
    (regex
      ; Allow files accessed by system dylibs and frameworks
      #"^/dev/null$"
      #"^(/private)?/var/run/syslog$"
      #"^/dev/u?random$"
      #"^/dev/dtracehelper$"
      #"/\.CFUserTextEncoding$"
      #"^(/private)?/etc/localtime$"
      #"^/usr/share/nls/"
      #"^/usr/share/zoneinfo/"))

  (allow file-read-data file-read-metadata
    (regex
      ; Allow reading system dylibs and frameworks
      #"^/usr/lib/.*\.dylib$"
      #"^/System/"))

  (allow ipc-posix-shm) ; Libnotify
)

(bsd.traverse-symlinks)
(bsd.dylibs-and-frameworks)