Re: Do not make mksh the default shell on macOS

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2020-07-14 at 17:49 BST, J. Lewis Muir wrote:

> On 07/14, Jonathan Perkin wrote:
> > * On 2020-07-14 at 12:09 BST, Greg Troxel wrote:
> > > Is it possible to run pbulk on macos now, with SIP enabled?
> > 
> > It's not specifically whether pbulk runs, it's that there are a number
> > of issues regarding creating sandboxes that SIP prevents.  The most
> > important one is that DNS resolution does not work inside as it's not
> > possible to modify mDNSResponder to listen on additional sockets, but
> > from memory even working around that with static entries in /etc/hosts
> > still resulted in other problems (I'll probably try again one day).
> 
> I know you tried various things, and this is complicated, but I think
> you considered (or even tried?) using socat at one point, so if you ever
> go back to trying a socket-proxy approach, this guy, referring to socat
> not working, said in
> 
>   https://stackoverflow.com/a/55388425
> 
> the following:
> 
>   The problem here is that requests and responses on the
>   /var/run/mDNSResponder socket use the "ancillary data" feature of the
>   recvmsg and sendmsg system calls, and socat doesn't proxy ancillary
>   data.  I was able to get a custom proxy that does relay the ancillary
>   data to work and provide DNS to processes inside a chroot.
> 
> I don't know how his custom proxy worked, but maybe that's another
> option: provide a custom mDNSResponder proxy in the chroot.

Yeh possibly, it basically just needs a lot of time and
experimentation to see if there are enough workarounds to make it
viable, at least until Apple restrict things even further.

I took a quick look at jmmv's sandboxctl stuff, and he appears to be
running into other issues too:

  https://github.com/jmmv/sandboxctl/commit/05bccf64974b8627f6ba6e81041e8b2a49c03434

The xcodebuild thing is ringing bells for me, I think I saw something
similar.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com