> Is it just to avoid adding sendmsg to the ports systrace policy? Why not > add it - maybe not globally but just for file?
sendmsg with a CMSG fd passing in/out of such a jail is a bad thing. However. It is likely that a ports configure test may try to test this interface. Not just CMSG, but sendmsg itself. It suspect it needs to find that it works. I doubt this is a system call that can be blocked. It sounds like a great idea to limit the build environment substantially, but an eye must be kept on fallout from being too strict. That's the problem with systrace; it is too easy to return an 'error' and a program will continue...
