Thank you all. I have a better understanding now. I just try to log some debug info of the renderer in /tmp that may help me understand things better.
Regards, On Thu, Jul 30, 2009 at 7:36 PM, Jeremy Moskovich<jer...@chromium.org> wrote: > The easiest way would be to add a rule to renderer.sb, the language it uses > is undocumented but very easy to use, you can find the file in the source > tree. > > May I ask why you want the renderer to be able to read/write files in /tmp? > > Best regards, > Jeremy > > On Thu, Jul 30, 2009 at 7:32 PM, n179911 <n179...@gmail.com> wrote: >> >> I would like to change it so that the renderer can create/write file on >> /tmp. >> >> Like this 'kSBXProfileNoWriteExceptTemporary' profile. >> >> On Thu, Jul 30, 2009 at 9:43 AM, Jeremy Moskovich<jer...@chromium.org> >> wrote: >> > Is this just out of curiosity? Is there something specific you're >> > trying to >> > achieve? >> > On Thu, Jul 30, 2009 at 9:32 AM, n179911 <n179...@gmail.com> wrote: >> >> >> >> On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich<jer...@chromium.org> >> >> wrote: >> >> > Hi, >> >> > It would really help if you could provide some details on what your >> >> > trying >> >> > to do. >> >> > Best regards, >> >> > Jeremy >> >> > >> >> From the >> >> >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> >> >> It said "In the renderer, we would probably want to use a combination >> >> of >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would >> >> like to get by with kSBXProfilePureComputation," >> >> >> >> I am trying to see what it the current setting in chromium. I can't >> >> find that in renderer.sb or when sandbox_init() is called. And then I >> >> would want to see if I can switch it to 'kSBXProfilePureComputation' >> >> and see what may break. >> >> >> >> Regards, >> >> >> >> >> >> >> >> > On Thu, Jul 30, 2009 at 9:06 AM, n179911 <n179...@gmail.com> wrote: >> >> >> >> >> >> Thank you. Can you please tell me how can I change the configure >> >> >> file >> >> >> (renderer.sb) to use >> >> >> other sandbox profile, like the one described in man page: >> >> >> >> >> >> * kSBXProfileNoInternet >> >> >> * kSBXProfileNoNetwork >> >> >> * kSBXProfileNoWrite >> >> >> * kSBXProfileNoWriteExceptTemporary >> >> >> * kSBXProfilePureComputation >> >> >> >> >> >> And I did try looking for the sandbox configuration format, but this >> >> >> is the only thing I found, but it does not contain sandbox config >> >> >> file >> >> >> format >> >> >> >> >> >> >> >> >> >> >> >> http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html >> >> >> >> >> >> >> >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van >> >> >> Lenten<thoma...@chromium.org> >> >> >> wrote: >> >> >> > Those constants are pre-configured settings. The NAMED_EXTERNAL >> >> >> > flag >> >> >> > lets >> >> >> > us pass in our own config, which is the renderer.sb. Apple hasn't >> >> >> > really >> >> >> > documented the file format, but if you do some searching on the >> >> >> > web, >> >> >> > you'll >> >> >> > find some documentation folks have figured out and I believe there >> >> >> > was a >> >> >> > talk given at one point by some of the Apple folks that work on >> >> >> > it. >> >> >> > TVL >> >> >> > >> >> >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 <n179...@gmail.com> >> >> >> > wrote: >> >> >> >> >> >> >> >> Hi, >> >> >> >> >> >> >> >> I read this article: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> >> >> >> >> >> >> It said Mac OSX supports five constants for sandbox access >> >> >> >> restrictions: >> >> >> >> >> >> >> >> * kSBXProfileNoInternet >> >> >> >> * kSBXProfileNoNetwork >> >> >> >> * kSBXProfileNoWrite >> >> >> >> * kSBXProfileNoWriteExceptTemporary >> >> >> >> * kSBXProfilePureComputation >> >> >> >> >> >> >> >> In the renderer, we would probably want to use a combination of >> >> >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we >> >> >> >> would >> >> >> >> like to get by with kSBXProfilePureComputation, >> >> >> >> >> >> >> >> Can you please which access restrictions the renderer of chromium >> >> >> >> is >> >> >> >> currently set to? >> >> >> >> I have looked at renderer_main_platform_delegate_mac.mm, which I >> >> >> >> believe is how/where chromium set the access restrictions to. But >> >> >> >> from >> >> >> >> the code, i can't tell which access restrictions it assigns to >> >> >> >> renderer. >> >> >> >> >> >> >> >> int error = sandbox_init(sandbox_profile, >> >> >> >> SANDBOX_NAMED_EXTERNAL, >> >> >> >> &error_buff); >> >> >> >> >> >> >> >> And I have looked at the file 'renderer.sb', it does not contains >> >> >> >> any >> >> >> >> of the above 5 access restrictions string either. >> >> >> >> >> >> >> >> Thank you for your help. >> >> >> >> >> >> >> >> Regards, >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> > >> >> > >> > >> > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
