Skip to content

Instantly share code, notes, and snippets.

@eruffaldi

eruffaldi/hideincludes.sb

Created June 21, 2017 12:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save eruffaldi/649d2ea0aa6d67b3c405635a731dac20 to your computer and use it in GitHub Desktop.
Save eruffaldi/649d2ea0aa6d67b3c405635a731dac20 to your computer and use it in GitHub Desktop.
Download ZIP
Sandboxed Build for Cross-compilation
Raw
hideincludes.sb
(version 1)
(deny default)
(allow sysctl-read)
(allow signal)
(allow process-exec)
(allow process-fork)
(allow mach* sysctl-read)
(allow file-read* (regex "^.*"))
(deny file-read* (regex "^/usr/local/include.*") (regex "^/usr/include.*"))
(allow file-write* (regex (string-append "^/tmp/.*")) (regex (string-append "^" (regex-quote (param "target")) ".*")) )
Raw
hideincludes.sh
#/bin/bash
# allowedpath command [args...]
target=$1
shift 1
P=$(dirname $(realpath -s ${BASH_SOURCE[0]}))
sandbox-exec -f $P/hideincludes.sb -Dtarget=$target $*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment