[chromium-dev] Re: Question about chromium sandbox on Mac OSX
If you're just doing this for debugging purposes, an easier route would be to pass in the --no-sandbox flag to temporarily disable the sandbox entirely, documented here: http://sites.google.com/a/chromium.org/dev/developers/debugging-on-os-x On Thu, Jul 30, 2009 at 8:00 PM, n179911 wrote: > > Thank you all. I have a better understanding now. > > I just try to log some debug info of the renderer in /tmp that may > help me understand things better. > > Regards, > > On Thu, Jul 30, 2009 at 7:36 PM, Jeremy Moskovich > wrote: > > The easiest way would be to add a rule to renderer.sb, the language it > uses > > is undocumented but very easy to use, you can find the file in the source > > tree. > > > > May I ask why you want the renderer to be able to read/write files in > /tmp? > > > > Best regards, > > Jeremy > > > > On Thu, Jul 30, 2009 at 7:32 PM, n179911 wrote: > >> > >> I would like to change it so that the renderer can create/write file on > >> /tmp. > >> > >> Like this 'kSBXProfileNoWriteExceptTemporary' profile. > >> > >> On Thu, Jul 30, 2009 at 9:43 AM, Jeremy Moskovich > >> wrote: > >> > Is this just out of curiosity? Is there something specific you're > >> > trying to > >> > achieve? > >> > On Thu, Jul 30, 2009 at 9:32 AM, n179911 wrote: > >> >> > >> >> On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich< > jer...@chromium.org> > >> >> wrote: > >> >> > Hi, > >> >> > It would really help if you could provide some details on what your > >> >> > trying > >> >> > to do. > >> >> > Best regards, > >> >> > Jeremy > >> >> > > >> >> From the > >> >> > >> >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> >> > >> >> It said "In the renderer, we would probably want to use a combination > >> >> of > >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> >> like to get by with kSBXProfilePureComputation," > >> >> > >> >> I am trying to see what it the current setting in chromium. I can't > >> >> find that in renderer.sb or when sandbox_init() is called. And then > I > >> >> would want to see if I can switch it to 'kSBXProfilePureComputation' > >> >> and see what may break. > >> >> > >> >> Regards, > >> >> > >> >> > >> >> > >> >> > On Thu, Jul 30, 2009 at 9:06 AM, n179911 > wrote: > >> >> >> > >> >> >> Thank you. Can you please tell me how can I change the configure > >> >> >> file > >> >> >> (renderer.sb) to use > >> >> >> other sandbox profile, like the one described in man page: > >> >> >> > >> >> >> * kSBXProfileNoInternet > >> >> >> * kSBXProfileNoNetwork > >> >> >> * kSBXProfileNoWrite > >> >> >> * kSBXProfileNoWriteExceptTemporary > >> >> >> * kSBXProfilePureComputation > >> >> >> > >> >> >> And I did try looking for the sandbox configuration format, but > this > >> >> >> is the only thing I found, but it does not contain sandbox config > >> >> >> file > >> >> >> format > >> >> >> > >> >> >> > >> >> >> > >> >> >> > http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html > >> >> >> > >> >> >> > >> >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van > >> >> >> Lenten > >> >> >> wrote: > >> >> >> > Those constants are pre-configured settings. The NAMED_EXTERNAL > >> >> >> > flag > >> >> >> > lets > >> >> >> > us pass in our own config, which is the renderer.sb. Apple > hasn't > >> >> >> > really > >> >> >> > documented the file format, but if you do some searching on the > >> >> >> > web, > >> >> >> > you'll > >> >> >> > find some documentation folks have figured out and I believe > there > >> >> >> > was a > >> >> >> > talk given at one point by some of the Apple folks that work on > >> >> >> > it. > >> >> >> > TVL > >> >> >> > > >> >> >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> Hi, > >> >> >> >> > >> >> >> >> I read this article: > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> >> >> >> > >> >> >> >> It said Mac OSX supports five constants for sandbox access > >> >> >> >> restrictions: > >> >> >> >> > >> >> >> >>* kSBXProfileNoInternet > >> >> >> >>* kSBXProfileNoNetwork > >> >> >> >>* kSBXProfileNoWrite > >> >> >> >>* kSBXProfileNoWriteExceptTemporary > >> >> >> >>* kSBXProfilePureComputation > >> >> >> >> > >> >> >> >> In the renderer, we would probably want to use a combination of > >> >> >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we > >> >> >> >> would > >> >> >> >> like to get by with kSBXProfilePureComputation, > >> >> >> >> > >> >> >> >> Can you please which access restrictions the renderer of > chromium > >> >> >> >> is > >> >> >> >> currently set to? > >> >> >> >> I have looked at renderer_main_platform_delegate_mac.mm, which > I > >> >> >> >> believe is how/where chromium set the access restrictions to. > But > >> >> >> >> from > >> >> >> >> the code, i can't tell which access restriction
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
Thank you all. I have a better understanding now. I just try to log some debug info of the renderer in /tmp that may help me understand things better. Regards, On Thu, Jul 30, 2009 at 7:36 PM, Jeremy Moskovich wrote: > The easiest way would be to add a rule to renderer.sb, the language it uses > is undocumented but very easy to use, you can find the file in the source > tree. > > May I ask why you want the renderer to be able to read/write files in /tmp? > > Best regards, > Jeremy > > On Thu, Jul 30, 2009 at 7:32 PM, n179911 wrote: >> >> I would like to change it so that the renderer can create/write file on >> /tmp. >> >> Like this 'kSBXProfileNoWriteExceptTemporary' profile. >> >> On Thu, Jul 30, 2009 at 9:43 AM, Jeremy Moskovich >> wrote: >> > Is this just out of curiosity? Is there something specific you're >> > trying to >> > achieve? >> > On Thu, Jul 30, 2009 at 9:32 AM, n179911 wrote: >> >> >> >> On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich >> >> wrote: >> >> > Hi, >> >> > It would really help if you could provide some details on what your >> >> > trying >> >> > to do. >> >> > Best regards, >> >> > Jeremy >> >> > >> >> From the >> >> >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> >> >> It said "In the renderer, we would probably want to use a combination >> >> of >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would >> >> like to get by with kSBXProfilePureComputation," >> >> >> >> I am trying to see what it the current setting in chromium. I can't >> >> find that in renderer.sb or when sandbox_init() is called. And then I >> >> would want to see if I can switch it to 'kSBXProfilePureComputation' >> >> and see what may break. >> >> >> >> Regards, >> >> >> >> >> >> >> >> > On Thu, Jul 30, 2009 at 9:06 AM, n179911 wrote: >> >> >> >> >> >> Thank you. Can you please tell me how can I change the configure >> >> >> file >> >> >> (renderer.sb) to use >> >> >> other sandbox profile, like the one described in man page: >> >> >> >> >> >> * kSBXProfileNoInternet >> >> >> * kSBXProfileNoNetwork >> >> >> * kSBXProfileNoWrite >> >> >> * kSBXProfileNoWriteExceptTemporary >> >> >> * kSBXProfilePureComputation >> >> >> >> >> >> And I did try looking for the sandbox configuration format, but this >> >> >> is the only thing I found, but it does not contain sandbox config >> >> >> file >> >> >> format >> >> >> >> >> >> >> >> >> >> >> >> http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html >> >> >> >> >> >> >> >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van >> >> >> Lenten >> >> >> wrote: >> >> >> > Those constants are pre-configured settings. The NAMED_EXTERNAL >> >> >> > flag >> >> >> > lets >> >> >> > us pass in our own config, which is the renderer.sb. Apple hasn't >> >> >> > really >> >> >> > documented the file format, but if you do some searching on the >> >> >> > web, >> >> >> > you'll >> >> >> > find some documentation folks have figured out and I believe there >> >> >> > was a >> >> >> > talk given at one point by some of the Apple folks that work on >> >> >> > it. >> >> >> > TVL >> >> >> > >> >> >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 >> >> >> > wrote: >> >> >> >> >> >> >> >> Hi, >> >> >> >> >> >> >> >> I read this article: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> >> >> >> >> >> >> It said Mac OSX supports five constants for sandbox access >> >> >> >> restrictions: >> >> >> >> >> >> >> >> * kSBXProfileNoInternet >> >> >> >> * kSBXProfileNoNetwork >> >> >> >> * kSBXProfileNoWrite >> >> >> >> * kSBXProfileNoWriteExceptTemporary >> >> >> >> * kSBXProfilePureComputation >> >> >> >> >> >> >> >> In the renderer, we would probably want to use a combination of >> >> >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we >> >> >> >> would >> >> >> >> like to get by with kSBXProfilePureComputation, >> >> >> >> >> >> >> >> Can you please which access restrictions the renderer of chromium >> >> >> >> is >> >> >> >> currently set to? >> >> >> >> I have looked at renderer_main_platform_delegate_mac.mm, which I >> >> >> >> believe is how/where chromium set the access restrictions to. But >> >> >> >> from >> >> >> >> the code, i can't tell which access restrictions it assigns to >> >> >> >> renderer. >> >> >> >> >> >> >> >> int error = sandbox_init(sandbox_profile, >> >> >> >> SANDBOX_NAMED_EXTERNAL, >> >> >> >> &error_buff); >> >> >> >> >> >> >> >> And I have looked at the file 'renderer.sb', it does not contains >> >> >> >> any >> >> >> >> of the above 5 access restrictions string either. >> >> >> >> >> >> >> >> Thank you for your help. >> >> >> >> >> >> >> >> Regards, >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> > >> >> > >> > >> > > > --~--~-~--~~~---~--~~ C
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
The easiest way would be to add a rule to renderer.sb, the language it uses is undocumented but very easy to use, you can find the file in the source tree. May I ask why you want the renderer to be able to read/write files in /tmp? Best regards, Jeremy On Thu, Jul 30, 2009 at 7:32 PM, n179911 wrote: > I would like to change it so that the renderer can create/write file on > /tmp. > > Like this 'kSBXProfileNoWriteExceptTemporary' profile. > > On Thu, Jul 30, 2009 at 9:43 AM, Jeremy Moskovich > wrote: > > Is this just out of curiosity? Is there something specific you're trying > to > > achieve? > > On Thu, Jul 30, 2009 at 9:32 AM, n179911 wrote: > >> > >> On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich > >> wrote: > >> > Hi, > >> > It would really help if you could provide some details on what your > >> > trying > >> > to do. > >> > Best regards, > >> > Jeremy > >> > > >> From the > >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> > >> It said "In the renderer, we would probably want to use a combination of > >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> like to get by with kSBXProfilePureComputation," > >> > >> I am trying to see what it the current setting in chromium. I can't > >> find that in renderer.sb or when sandbox_init() is called. And then I > >> would want to see if I can switch it to 'kSBXProfilePureComputation' > >> and see what may break. > >> > >> Regards, > >> > >> > >> > >> > On Thu, Jul 30, 2009 at 9:06 AM, n179911 wrote: > >> >> > >> >> Thank you. Can you please tell me how can I change the configure file > >> >> (renderer.sb) to use > >> >> other sandbox profile, like the one described in man page: > >> >> > >> >> * kSBXProfileNoInternet > >> >> * kSBXProfileNoNetwork > >> >> * kSBXProfileNoWrite > >> >> * kSBXProfileNoWriteExceptTemporary > >> >> * kSBXProfilePureComputation > >> >> > >> >> And I did try looking for the sandbox configuration format, but this > >> >> is the only thing I found, but it does not contain sandbox config > file > >> >> format > >> >> > >> >> > >> >> > http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html > >> >> > >> >> > >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van > >> >> Lenten > >> >> wrote: > >> >> > Those constants are pre-configured settings. The NAMED_EXTERNAL > flag > >> >> > lets > >> >> > us pass in our own config, which is the renderer.sb. Apple hasn't > >> >> > really > >> >> > documented the file format, but if you do some searching on the > web, > >> >> > you'll > >> >> > find some documentation folks have figured out and I believe there > >> >> > was a > >> >> > talk given at one point by some of the Apple folks that work on it. > >> >> > TVL > >> >> > > >> >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 > wrote: > >> >> >> > >> >> >> Hi, > >> >> >> > >> >> >> I read this article: > >> >> >> > >> >> >> > >> >> >> > >> >> >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> >> >> > >> >> >> It said Mac OSX supports five constants for sandbox access > >> >> >> restrictions: > >> >> >> > >> >> >>* kSBXProfileNoInternet > >> >> >>* kSBXProfileNoNetwork > >> >> >>* kSBXProfileNoWrite > >> >> >>* kSBXProfileNoWriteExceptTemporary > >> >> >>* kSBXProfilePureComputation > >> >> >> > >> >> >> In the renderer, we would probably want to use a combination of > >> >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> >> >> like to get by with kSBXProfilePureComputation, > >> >> >> > >> >> >> Can you please which access restrictions the renderer of chromium > is > >> >> >> currently set to? > >> >> >> I have looked at renderer_main_platform_delegate_mac.mm, which I > >> >> >> believe is how/where chromium set the access restrictions to. But > >> >> >> from > >> >> >> the code, i can't tell which access restrictions it assigns to > >> >> >> renderer. > >> >> >> > >> >> >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, > >> >> >> &error_buff); > >> >> >> > >> >> >> And I have looked at the file 'renderer.sb', it does not contains > >> >> >> any > >> >> >> of the above 5 access restrictions string either. > >> >> >> > >> >> >> Thank you for your help. > >> >> >> > >> >> >> Regards, > >> >> >> > >> >> >> >> > >> >> > > >> >> > > >> >> > >> >> > >> >> > >> > > >> > > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
I would like to change it so that the renderer can create/write file on /tmp. Like this 'kSBXProfileNoWriteExceptTemporary' profile. On Thu, Jul 30, 2009 at 9:43 AM, Jeremy Moskovich wrote: > Is this just out of curiosity? Is there something specific you're trying to > achieve? > On Thu, Jul 30, 2009 at 9:32 AM, n179911 wrote: >> >> On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich >> wrote: >> > Hi, >> > It would really help if you could provide some details on what your >> > trying >> > to do. >> > Best regards, >> > Jeremy >> > >> From the >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> It said "In the renderer, we would probably want to use a combination of >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would >> like to get by with kSBXProfilePureComputation," >> >> I am trying to see what it the current setting in chromium. I can't >> find that in renderer.sb or when sandbox_init() is called. And then I >> would want to see if I can switch it to 'kSBXProfilePureComputation' >> and see what may break. >> >> Regards, >> >> >> >> > On Thu, Jul 30, 2009 at 9:06 AM, n179911 wrote: >> >> >> >> Thank you. Can you please tell me how can I change the configure file >> >> (renderer.sb) to use >> >> other sandbox profile, like the one described in man page: >> >> >> >> * kSBXProfileNoInternet >> >> * kSBXProfileNoNetwork >> >> * kSBXProfileNoWrite >> >> * kSBXProfileNoWriteExceptTemporary >> >> * kSBXProfilePureComputation >> >> >> >> And I did try looking for the sandbox configuration format, but this >> >> is the only thing I found, but it does not contain sandbox config file >> >> format >> >> >> >> >> >> http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html >> >> >> >> >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van >> >> Lenten >> >> wrote: >> >> > Those constants are pre-configured settings. The NAMED_EXTERNAL flag >> >> > lets >> >> > us pass in our own config, which is the renderer.sb. Apple hasn't >> >> > really >> >> > documented the file format, but if you do some searching on the web, >> >> > you'll >> >> > find some documentation folks have figured out and I believe there >> >> > was a >> >> > talk given at one point by some of the Apple folks that work on it. >> >> > TVL >> >> > >> >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: >> >> >> >> >> >> Hi, >> >> >> >> >> >> I read this article: >> >> >> >> >> >> >> >> >> >> >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> >> >> >> >> It said Mac OSX supports five constants for sandbox access >> >> >> restrictions: >> >> >> >> >> >> * kSBXProfileNoInternet >> >> >> * kSBXProfileNoNetwork >> >> >> * kSBXProfileNoWrite >> >> >> * kSBXProfileNoWriteExceptTemporary >> >> >> * kSBXProfilePureComputation >> >> >> >> >> >> In the renderer, we would probably want to use a combination of >> >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would >> >> >> like to get by with kSBXProfilePureComputation, >> >> >> >> >> >> Can you please which access restrictions the renderer of chromium is >> >> >> currently set to? >> >> >> I have looked at renderer_main_platform_delegate_mac.mm, which I >> >> >> believe is how/where chromium set the access restrictions to. But >> >> >> from >> >> >> the code, i can't tell which access restrictions it assigns to >> >> >> renderer. >> >> >> >> >> >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, >> >> >> &error_buff); >> >> >> >> >> >> And I have looked at the file 'renderer.sb', it does not contains >> >> >> any >> >> >> of the above 5 access restrictions string either. >> >> >> >> >> >> Thank you for your help. >> >> >> >> >> >> Regards, >> >> >> >> >> >> >> >> >> > >> >> > >> >> >> >> >> >> >> > >> > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
On Thursday, July 30, 2009, n179911 wrote: > I am trying to see what it the current setting in chromium. I can't > find that in http://renderer.sb or when sandbox_init() is called. As TVL said in his earlier reply, renderer.sb *is* the current setting. We use a custom set of allow/deny rules rather than one of the pre-canned defaults. > And then I would want to see if I can switch it to > 'kSBXProfilePureComputation' > and see what may break. Reading renderer.sb should give you exactly that information; all of the exclusions there were added for a reason (documented in the file). The design doc you are reading sounds like it hasn't been updated since the sandbox was actually implemented; it should probably be updated. -Stuart --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
Is this just out of curiosity? Is there something specific you're trying to achieve? On Thu, Jul 30, 2009 at 9:32 AM, n179911 wrote: > On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich > wrote: > > Hi, > > It would really help if you could provide some details on what your > trying > > to do. > > Best regards, > > Jeremy > > > From the > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > > It said "In the renderer, we would probably want to use a combination of > kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > like to get by with kSBXProfilePureComputation," > > I am trying to see what it the current setting in chromium. I can't > find that in renderer.sb or when sandbox_init() is called. And then I > would want to see if I can switch it to 'kSBXProfilePureComputation' > and see what may break. > > Regards, > > > > > On Thu, Jul 30, 2009 at 9:06 AM, n179911 wrote: > >> > >> Thank you. Can you please tell me how can I change the configure file > >> (renderer.sb) to use > >> other sandbox profile, like the one described in man page: > >> > >> * kSBXProfileNoInternet > >> * kSBXProfileNoNetwork > >> * kSBXProfileNoWrite > >> * kSBXProfileNoWriteExceptTemporary > >> * kSBXProfilePureComputation > >> > >> And I did try looking for the sandbox configuration format, but this > >> is the only thing I found, but it does not contain sandbox config file > >> format > >> > >> > http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html > >> > >> > >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van Lenten< > thoma...@chromium.org> > >> wrote: > >> > Those constants are pre-configured settings. The NAMED_EXTERNAL flag > >> > lets > >> > us pass in our own config, which is the renderer.sb. Apple hasn't > >> > really > >> > documented the file format, but if you do some searching on the web, > >> > you'll > >> > find some documentation folks have figured out and I believe there was > a > >> > talk given at one point by some of the Apple folks that work on it. > >> > TVL > >> > > >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: > >> >> > >> >> Hi, > >> >> > >> >> I read this article: > >> >> > >> >> > >> >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> >> > >> >> It said Mac OSX supports five constants for sandbox access > >> >> restrictions: > >> >> > >> >>* kSBXProfileNoInternet > >> >>* kSBXProfileNoNetwork > >> >>* kSBXProfileNoWrite > >> >>* kSBXProfileNoWriteExceptTemporary > >> >>* kSBXProfilePureComputation > >> >> > >> >> In the renderer, we would probably want to use a combination of > >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> >> like to get by with kSBXProfilePureComputation, > >> >> > >> >> Can you please which access restrictions the renderer of chromium is > >> >> currently set to? > >> >> I have looked at renderer_main_platform_delegate_mac.mm, which I > >> >> believe is how/where chromium set the access restrictions to. But > from > >> >> the code, i can't tell which access restrictions it assigns to > >> >> renderer. > >> >> > >> >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, > >> >> &error_buff); > >> >> > >> >> And I have looked at the file 'renderer.sb', it does not contains > any > >> >> of the above 5 access restrictions string either. > >> >> > >> >> Thank you for your help. > >> >> > >> >> Regards, > >> >> > >> >> >> > >> > > >> > > >> > >> > >> > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich wrote: > Hi, > It would really help if you could provide some details on what your trying > to do. > Best regards, > Jeremy > >From the >http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design It said "In the renderer, we would probably want to use a combination of kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would like to get by with kSBXProfilePureComputation," I am trying to see what it the current setting in chromium. I can't find that in renderer.sb or when sandbox_init() is called. And then I would want to see if I can switch it to 'kSBXProfilePureComputation' and see what may break. Regards, > On Thu, Jul 30, 2009 at 9:06 AM, n179911 wrote: >> >> Thank you. Can you please tell me how can I change the configure file >> (renderer.sb) to use >> other sandbox profile, like the one described in man page: >> >> * kSBXProfileNoInternet >> * kSBXProfileNoNetwork >> * kSBXProfileNoWrite >> * kSBXProfileNoWriteExceptTemporary >> * kSBXProfilePureComputation >> >> And I did try looking for the sandbox configuration format, but this >> is the only thing I found, but it does not contain sandbox config file >> format >> >> http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html >> >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van Lenten >> wrote: >> > Those constants are pre-configured settings. The NAMED_EXTERNAL flag >> > lets >> > us pass in our own config, which is the renderer.sb. Apple hasn't >> > really >> > documented the file format, but if you do some searching on the web, >> > you'll >> > find some documentation folks have figured out and I believe there was a >> > talk given at one point by some of the Apple folks that work on it. >> > TVL >> > >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: >> >> >> >> Hi, >> >> >> >> I read this article: >> >> >> >> >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> >> >> It said Mac OSX supports five constants for sandbox access >> >> restrictions: >> >> >> >> * kSBXProfileNoInternet >> >> * kSBXProfileNoNetwork >> >> * kSBXProfileNoWrite >> >> * kSBXProfileNoWriteExceptTemporary >> >> * kSBXProfilePureComputation >> >> >> >> In the renderer, we would probably want to use a combination of >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would >> >> like to get by with kSBXProfilePureComputation, >> >> >> >> Can you please which access restrictions the renderer of chromium is >> >> currently set to? >> >> I have looked at renderer_main_platform_delegate_mac.mm, which I >> >> believe is how/where chromium set the access restrictions to. But from >> >> the code, i can't tell which access restrictions it assigns to >> >> renderer. >> >> >> >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, >> >> &error_buff); >> >> >> >> And I have looked at the file 'renderer.sb', it does not contains any >> >> of the above 5 access restrictions string either. >> >> >> >> Thank you for your help. >> >> >> >> Regards, >> >> >> >> >> >> > >> > >> >> >> > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
As the man page says, you to use one of the kSBXProfile* constants for the profile argument, you need to change the flags to say you are using a named profile instead of an external one. TVL On Thu, Jul 30, 2009 at 12:06 PM, n179911 wrote: > Thank you. Can you please tell me how can I change the configure file > (renderer.sb) to use > other sandbox profile, like the one described in man page: > > * kSBXProfileNoInternet > * kSBXProfileNoNetwork > * kSBXProfileNoWrite > * kSBXProfileNoWriteExceptTemporary > * kSBXProfilePureComputation > > And I did try looking for the sandbox configuration format, but this > is the only thing I found, but it does not contain sandbox config file > format > > http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html > > > On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van Lenten > wrote: > > Those constants are pre-configured settings. The NAMED_EXTERNAL flag > lets > > us pass in our own config, which is the renderer.sb. Apple hasn't > really > > documented the file format, but if you do some searching on the web, > you'll > > find some documentation folks have figured out and I believe there was a > > talk given at one point by some of the Apple folks that work on it. > > TVL > > > > On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: > >> > >> Hi, > >> > >> I read this article: > >> > >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> > >> It said Mac OSX supports five constants for sandbox access restrictions: > >> > >>* kSBXProfileNoInternet > >>* kSBXProfileNoNetwork > >>* kSBXProfileNoWrite > >>* kSBXProfileNoWriteExceptTemporary > >>* kSBXProfilePureComputation > >> > >> In the renderer, we would probably want to use a combination of > >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> like to get by with kSBXProfilePureComputation, > >> > >> Can you please which access restrictions the renderer of chromium is > >> currently set to? > >> I have looked at renderer_main_platform_delegate_mac.mm, which I > >> believe is how/where chromium set the access restrictions to. But from > >> the code, i can't tell which access restrictions it assigns to > >> renderer. > >> > >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, > >> &error_buff); > >> > >> And I have looked at the file 'renderer.sb', it does not contains any > >> of the above 5 access restrictions string either. > >> > >> Thank you for your help. > >> > >> Regards, > >> > >> > >> > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
Hi, It would really help if you could provide some details on what your trying to do. Best regards, Jeremy On Thu, Jul 30, 2009 at 9:06 AM, n179911 wrote: > > Thank you. Can you please tell me how can I change the configure file > (renderer.sb) to use > other sandbox profile, like the one described in man page: > > * kSBXProfileNoInternet > * kSBXProfileNoNetwork > * kSBXProfileNoWrite > * kSBXProfileNoWriteExceptTemporary > * kSBXProfilePureComputation > > And I did try looking for the sandbox configuration format, but this > is the only thing I found, but it does not contain sandbox config file > format > > http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html > > > On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van Lenten > wrote: > > Those constants are pre-configured settings. The NAMED_EXTERNAL flag > lets > > us pass in our own config, which is the renderer.sb. Apple hasn't > really > > documented the file format, but if you do some searching on the web, > you'll > > find some documentation folks have figured out and I believe there was a > > talk given at one point by some of the Apple folks that work on it. > > TVL > > > > On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: > >> > >> Hi, > >> > >> I read this article: > >> > >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> > >> It said Mac OSX supports five constants for sandbox access restrictions: > >> > >>* kSBXProfileNoInternet > >>* kSBXProfileNoNetwork > >>* kSBXProfileNoWrite > >>* kSBXProfileNoWriteExceptTemporary > >>* kSBXProfilePureComputation > >> > >> In the renderer, we would probably want to use a combination of > >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> like to get by with kSBXProfilePureComputation, > >> > >> Can you please which access restrictions the renderer of chromium is > >> currently set to? > >> I have looked at renderer_main_platform_delegate_mac.mm, which I > >> believe is how/where chromium set the access restrictions to. But from > >> the code, i can't tell which access restrictions it assigns to > >> renderer. > >> > >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, > >> &error_buff); > >> > >> And I have looked at the file 'renderer.sb', it does not contains any > >> of the above 5 access restrictions string either. > >> > >> Thank you for your help. > >> > >> Regards, > >> > >> >> > > > > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
Thank you. Can you please tell me how can I change the configure file (renderer.sb) to use other sandbox profile, like the one described in man page: * kSBXProfileNoInternet * kSBXProfileNoNetwork * kSBXProfileNoWrite * kSBXProfileNoWriteExceptTemporary * kSBXProfilePureComputation And I did try looking for the sandbox configuration format, but this is the only thing I found, but it does not contain sandbox config file format http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van Lenten wrote: > Those constants are pre-configured settings. The NAMED_EXTERNAL flag lets > us pass in our own config, which is the renderer.sb. Apple hasn't really > documented the file format, but if you do some searching on the web, you'll > find some documentation folks have figured out and I believe there was a > talk given at one point by some of the Apple folks that work on it. > TVL > > On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: >> >> Hi, >> >> I read this article: >> >> http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design >> >> It said Mac OSX supports five constants for sandbox access restrictions: >> >> * kSBXProfileNoInternet >> * kSBXProfileNoNetwork >> * kSBXProfileNoWrite >> * kSBXProfileNoWriteExceptTemporary >> * kSBXProfilePureComputation >> >> In the renderer, we would probably want to use a combination of >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would >> like to get by with kSBXProfilePureComputation, >> >> Can you please which access restrictions the renderer of chromium is >> currently set to? >> I have looked at renderer_main_platform_delegate_mac.mm, which I >> believe is how/where chromium set the access restrictions to. But from >> the code, i can't tell which access restrictions it assigns to >> renderer. >> >> int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, >> &error_buff); >> >> And I have looked at the file 'renderer.sb', it does not contains any >> of the above 5 access restrictions string either. >> >> Thank you for your help. >> >> Regards, >> >> >> > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Question about chromium sandbox on Mac OSX
Those constants are pre-configured settings. The NAMED_EXTERNAL flag lets us pass in our own config, which is the renderer.sb. Apple hasn't really documented the file format, but if you do some searching on the web, you'll find some documentation folks have figured out and I believe there was a talk given at one point by some of the Apple folks that work on it. TVL On Thu, Jul 30, 2009 at 2:32 AM, n179911 wrote: > > Hi, > > I read this article: > > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > > It said Mac OSX supports five constants for sandbox access restrictions: > >* kSBXProfileNoInternet >* kSBXProfileNoNetwork >* kSBXProfileNoWrite >* kSBXProfileNoWriteExceptTemporary >* kSBXProfilePureComputation > > In the renderer, we would probably want to use a combination of > kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > like to get by with kSBXProfilePureComputation, > > Can you please which access restrictions the renderer of chromium is > currently set to? > I have looked at renderer_main_platform_delegate_mac.mm, which I > believe is how/where chromium set the access restrictions to. But from > the code, i can't tell which access restrictions it assigns to > renderer. > > int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL, > &error_buff); > > And I have looked at the file 'renderer.sb', it does not contains any > of the above 5 access restrictions string either. > > Thank you for your help. > > Regards, > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---