Showing posts from June, 2017

OSX Sandboxing for include file interference during build

A while a go I posted about the use of the OSX built-in sandbox for protecting against unwanted file or network accesses.

Sometime I perform Windows cross-compilation by using Docker (e.g. dockercros) or more typically directly using cmake under OSX.

In both cases there is the chance that the cmake scripts of a library are not behaving correctly in the lookup of dependencies and create interference with the system include files (e.g. /usr/include and /usr/local/include). The OSX sandbox comes handy allowing to block the access to one or more directories.

This is the OSX sandboxing script I am using:

(version 1)
(deny default)
(allow sysctl-read)
(allow signal)
(allow process-exec)
(allow process-fork)
(allow mach* sysctl-read)
(allow file-read* (regex "^.*"))
(deny file-read* (regex "^/usr/local/include.*") (regex "^/usr/include.*"))
(allow file-write* (regex (string-append "^/tmp/.*")) (regex (string-append "^" (regex-quote (param "target…