If you're just doing this for debugging purposes, an easier route would be to pass in the --no-sandbox flag to temporarily disable the sandbox entirely, documented here: http://sites.google.com/a/chromium.org/dev/developers/debugging-on-os-x
On Thu, Jul 30, 2009 at 8:00 PM, n179911 <[email protected]> wrote: > > Thank you all. I have a better understanding now. > > I just try to log some debug info of the renderer in /tmp that may > help me understand things better. > > Regards, > > On Thu, Jul 30, 2009 at 7:36 PM, Jeremy Moskovich<[email protected]> > wrote: > > The easiest way would be to add a rule to renderer.sb, the language it > uses > > is undocumented but very easy to use, you can find the file in the source > > tree. > > > > May I ask why you want the renderer to be able to read/write files in > /tmp? > > > > Best regards, > > Jeremy > > > > On Thu, Jul 30, 2009 at 7:32 PM, n179911 <[email protected]> wrote: > >> > >> I would like to change it so that the renderer can create/write file on > >> /tmp. > >> > >> Like this 'kSBXProfileNoWriteExceptTemporary' profile. > >> > >> On Thu, Jul 30, 2009 at 9:43 AM, Jeremy Moskovich<[email protected]> > >> wrote: > >> > Is this just out of curiosity? Is there something specific you're > >> > trying to > >> > achieve? > >> > On Thu, Jul 30, 2009 at 9:32 AM, n179911 <[email protected]> wrote: > >> >> > >> >> On Thu, Jul 30, 2009 at 9:08 AM, Jeremy Moskovich< > [email protected]> > >> >> wrote: > >> >> > Hi, > >> >> > It would really help if you could provide some details on what your > >> >> > trying > >> >> > to do. > >> >> > Best regards, > >> >> > Jeremy > >> >> > > >> >> From the > >> >> > >> >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> >> > >> >> It said "In the renderer, we would probably want to use a combination > >> >> of > >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we would > >> >> like to get by with kSBXProfilePureComputation," > >> >> > >> >> I am trying to see what it the current setting in chromium. I can't > >> >> find that in renderer.sb or when sandbox_init() is called. And then > I > >> >> would want to see if I can switch it to 'kSBXProfilePureComputation' > >> >> and see what may break. > >> >> > >> >> Regards, > >> >> > >> >> > >> >> > >> >> > On Thu, Jul 30, 2009 at 9:06 AM, n179911 <[email protected]> > wrote: > >> >> >> > >> >> >> Thank you. Can you please tell me how can I change the configure > >> >> >> file > >> >> >> (renderer.sb) to use > >> >> >> other sandbox profile, like the one described in man page: > >> >> >> > >> >> >> * kSBXProfileNoInternet > >> >> >> * kSBXProfileNoNetwork > >> >> >> * kSBXProfileNoWrite > >> >> >> * kSBXProfileNoWriteExceptTemporary > >> >> >> * kSBXProfilePureComputation > >> >> >> > >> >> >> And I did try looking for the sandbox configuration format, but > this > >> >> >> is the only thing I found, but it does not contain sandbox config > >> >> >> file > >> >> >> format > >> >> >> > >> >> >> > >> >> >> > >> >> >> > http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man3/sandbox_init.3.html > >> >> >> > >> >> >> > >> >> >> On Thu, Jul 30, 2009 at 5:21 AM, Thomas Van > >> >> >> Lenten<[email protected]> > >> >> >> wrote: > >> >> >> > Those constants are pre-configured settings. The NAMED_EXTERNAL > >> >> >> > flag > >> >> >> > lets > >> >> >> > us pass in our own config, which is the renderer.sb. Apple > hasn't > >> >> >> > really > >> >> >> > documented the file format, but if you do some searching on the > >> >> >> > web, > >> >> >> > you'll > >> >> >> > find some documentation folks have figured out and I believe > there > >> >> >> > was a > >> >> >> > talk given at one point by some of the Apple folks that work on > >> >> >> > it. > >> >> >> > TVL > >> >> >> > > >> >> >> > On Thu, Jul 30, 2009 at 2:32 AM, n179911 <[email protected]> > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> Hi, > >> >> >> >> > >> >> >> >> I read this article: > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design > >> >> >> >> > >> >> >> >> It said Mac OSX supports five constants for sandbox access > >> >> >> >> restrictions: > >> >> >> >> > >> >> >> >> * kSBXProfileNoInternet > >> >> >> >> * kSBXProfileNoNetwork > >> >> >> >> * kSBXProfileNoWrite > >> >> >> >> * kSBXProfileNoWriteExceptTemporary > >> >> >> >> * kSBXProfilePureComputation > >> >> >> >> > >> >> >> >> In the renderer, we would probably want to use a combination of > >> >> >> >> kSBXProfileNoNetwork and kSBXProfileNoWrite. If possible, we > >> >> >> >> would > >> >> >> >> like to get by with kSBXProfilePureComputation, > >> >> >> >> > >> >> >> >> Can you please which access restrictions the renderer of > chromium > >> >> >> >> is > >> >> >> >> currently set to? > >> >> >> >> I have looked at renderer_main_platform_delegate_mac.mm, which > I > >> >> >> >> believe is how/where chromium set the access restrictions to. > But > >> >> >> >> from > >> >> >> >> the code, i can't tell which access restrictions it assigns to > >> >> >> >> renderer. > >> >> >> >> > >> >> >> >> int error = sandbox_init(sandbox_profile, > >> >> >> >> SANDBOX_NAMED_EXTERNAL, > >> >> >> >> &error_buff); > >> >> >> >> > >> >> >> >> And I have looked at the file 'renderer.sb', it does not > contains > >> >> >> >> any > >> >> >> >> of the above 5 access restrictions string either. > >> >> >> >> > >> >> >> >> Thank you for your help. > >> >> >> >> > >> >> >> >> Regards, > >> >> >> >> > >> >> >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> >> >> >> > >> >> > > >> >> > > >> > > >> > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
