Am 13.11.2016 um 22:59 schrieb Tommaso Cucinotta <tomm...@lyx.org>: > > On 13/11/2016 22:50, Tommaso Cucinotta wrote: >> On 13/11/2016 15:10, Kornel Benko wrote: >>> Yes, creating the cmake changes for unix(linux) like platforms. Don't know, >>> what to do for >>> windows or MAC. >> >> From a lightning fast investigation, it seems that Mac OS-X has an "App >> Sandbox" feature that can be used for the purpose, nor sure whether the same >> as the sandbox-exec syscall since OS-X 10.9: >> >> >> https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html >> >> https://developer.apple.com/library/content/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html >> >> On Windows, I could only find this Low Integrity Level and accompanying >> Integrity ACL: >> >> https://en.wikipedia.org/wiki/Mandatory_Integrity_Control >> https://en.wikipedia.org/wiki/Cacls#icacls >> >> But, the latter wikipedia pointer claims icacls is all broken. >> >> We'd need a Mac and Windows devels to have a glance about the above. > > Namely, looks like: > > -) on Linux with AppArmor, we use lyxwrap, and/or just apply a profile to LyX > with restriction on *any* sub-process > lyxwrap <command> <args>... > > -) on Mac OS-X supporting sandboxing, we call: > sandbox-exec <command> <args>... > > -) on Windows, we call: > icacls /setintegritylevel Low <command> <args>... > > All to be validated, tried & adapted for the LyX use-case. > > T.
sandbox-exec is a very good idea. I didn’t know it. There are predefined profiles for sandboxes on Mac. One example follows: ================ $ sandbox-exec -n no-write-except-temporary bash bash-3.2$ touch /tmp/x bash-3.2$ touch $HOME/x touch: /Users/stephan/x: Operation not permitted bash-3.2$ exit ================ Probably we need some more tweaking to make a really good sandbox (e.g. limit network access too?). IMO, a prerequisite to make this technology useful for LyX is to create child processes with only one code path. ATM we have many ways to execute sub-commands for compiling TeX or convert images or execute CAS commands or unzip files. I don’t know exactly how many different ways to create a child process are used. Stephan
