Hi, On Sat, Sep 10, 2016 at 03:45:25PM +0200, René J.V. Bertin wrote: > But I see quite a few items on there that are unlikely to call other > applications. If this is only about preserving DYLD_LIBRARY_PRELOAD, > why do you need to treat utilities like cat or rm?
cat and rm deal with files, consequently trace mode needs its code to be injected into them (as would fakeroot). Not copying them would mean their unmodified copies run without the "sandbox" enabled, since DYLD_INSERT_LIBRARIES wouldn't have any effect on them. > And what happens when you (re)set one of the tainted env. variables in > a shell or interpreter with the SIP bit set? Is it unset or filtered > out when you call another executable, even if that exec doesn't have > the SIP bit set? It's kept, but how would you do that? You cannot inject code into that executable, and a port's build system specifies what shell scripts (for example) get run. -- Clemens _______________________________________________ macports-dev mailing list [email protected] https://lists.macosforge.org/mailman/listinfo/macports-dev
