[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Do not make mksh the default shell on macOS
* On 2020-07-14 at 17:49 BST, J. Lewis Muir wrote:
> On 07/14, Jonathan Perkin wrote:
> > * On 2020-07-14 at 12:09 BST, Greg Troxel wrote:
> > > Is it possible to run pbulk on macos now, with SIP enabled?
> > It's not specifically whether pbulk runs, it's that there are a number
> > of issues regarding creating sandboxes that SIP prevents. The most
> > important one is that DNS resolution does not work inside as it's not
> > possible to modify mDNSResponder to listen on additional sockets, but
> > from memory even working around that with static entries in /etc/hosts
> > still resulted in other problems (I'll probably try again one day).
> I know you tried various things, and this is complicated, but I think
> you considered (or even tried?) using socat at one point, so if you ever
> go back to trying a socket-proxy approach, this guy, referring to socat
> not working, said in
> the following:
> The problem here is that requests and responses on the
> /var/run/mDNSResponder socket use the "ancillary data" feature of the
> recvmsg and sendmsg system calls, and socat doesn't proxy ancillary
> data. I was able to get a custom proxy that does relay the ancillary
> data to work and provide DNS to processes inside a chroot.
> I don't know how his custom proxy worked, but maybe that's another
> option: provide a custom mDNSResponder proxy in the chroot.
Yeh possibly, it basically just needs a lot of time and
experimentation to see if there are enough workarounds to make it
viable, at least until Apple restrict things even further.
I took a quick look at jmmv's sandboxctl stuff, and he appears to be
running into other issues too:
The xcodebuild thing is ringing bells for me, I think I saw something
Jonathan Perkin - Joyent, Inc. - www.joyent.com
Main Index |
Thread Index |