On 2012-9-2 14:36 , Jordan K. Hubbard wrote: > > I also got distracted by the notion of creating a MAC policy (kernel > module) instead since MAC has hooks for every single filesystem > operation and allows one to implement tracing below the syscall layer > such that it doesn't matter whether the syscalls are 32 bit, 64 bit or > how the syscalls which manipulate files change or evolve over time. To > be honest, that would be the architecturally superior approach given the > two alternatives, but would also (as I quickly found out) be rather more > difficult to do since implementing the kernel module and the hooks in > macports to trigger the hooks on all of its (the subject's) file objects > is kind of advanced class and MAC is not an officially supported API - > it's more of an internal implementation detail of XNU.
I completely agree, it would be better for the OS to provide the mechanisms. Please make it happen. ;-) With sandboxing clearly catching on on Apple, I'd kind of been hoping that we would get an API for this sort of thing along with it. > All that said, the functionality is still very cool, regardless of how > it's implemented, and I hope that someone does dive on the challenge > since proper enforcement and validation of what MacPorts is doing for a > specific port could really provide some much needed safety belting of > the process, particularly as the ports collection continues to grow. Indeed. - Josh _______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo/macports-dev
