Jeremy Evans wrote: > > If this is worthy of more work, the command line options can certainly > be changed. I just used getopt(3) since it seemed like the easiest > way to handle it.
I talked with theo about this some. I'd say it's probably too early, and may lead us down a weird path, where tame has to record all sorts of state and watch for certain "milestones" to be reached. that logic is better kept in the program. currently, the tame model is that you modify the program as necessary to work best with tame. if you're doing that, add the tame calls you want. as you noticed, programs not expecting to work with tame require very permissive options and may not work even so. chroot is probably the best comparision. yes, we provide a chroot(1), but practically nothing uses it. everything is instead calling chroot(2) on its own. the things that do use chroot(1) are doing so for specialized namespace reasons, not for sandboxing.
