NAME
ssaannddbbooxxiinniitt, ssaannddbbooxxffrreeeeeerrrroorr - set process sandbox
SYNOPSIS
##iinncclluuddee <
int ssaannddbbooxxiinniitt(const char *profile, uint64t flags, char **errorbuf); void ssaannddbbooxxffrreeeeeerrrroorr(char *errorbuf);> DESCRIPTION
ssaannddbbooxxiinniitt() places the current process into a sandbox(7). TheNUL-terminated string profile specifies the profile to be used to config-
ure the sandbox. The flags specified are formed by or'ing the following values:SANDBOXNAMED The profile argument specifies a sandbox profile
named by one of the constants given in the AVAILABLE PROFILES section below. The out parameter *errorbuf will be set according to the error status.RETURN VALUES
Upon successful completion of ssaannddbbooxxiinniitt(), a value of 0 is returnedand *errorbuf is set to NULL. In the event of an error, a value of -1 is
returned and *errorbuf is set to a pointer to a NUL-terminated string
describing the error. This string may contain embedded newlines. This error information is suitable for developers and is not intended for end users. This pointer should be passed to sandboxfreeerror(3) to release the allocated storage when it is no longer needed. AVAILABLE PROFILES The following are brief descriptions of each available profile. Keep in mind that sandbox(7) restrictions are typically enforced at resource acquisition time. kSBXProfileNoInternet TCP/IP networking is prohibited.kSBXProfileNoNetwork All sockets-based networking is pro-
hibited. kSBXProfileNoWrite File system writes are prohibited. kSBXProfileNoWriteExceptTemporary File system writes are restricted to the temporary folder /var/tmp and the folder specified by the confstr(3)configuration variable CSDAR-
WINUSERTEMPDIR.kSBXProfilePureComputation All operating system services are pro-
hibited.SEE ALSO
sandbox-exec(1), sandbox(7), sandbox-compilerd(8)
Mac OS X July 7, 2007 Mac OS X