Sandboxing
Archives Forums/MacOS X Discussion/Sandboxing
| ||
| This has come up in the past and there hasn't been anything solid posted, at least that I've seen. While I was at WWDC last week I cornered an XCode engineer and asked about it, here's the gist of what I learned. 1) You can make the sandboxing entitlements in XCode, then just pull the plist out and use it for a command line compile (yay!) 2) You have to compile the entitlements into the app, it's not like the app store code signing process that happens afterwards (boo!). This means that you will have to likely modify bmk to alter the command line compile calls I suspect. 3) I *think* you can only include sandboxing when compiling with LLVM and not GCC... I don't use either from the command line, and am a bit remiss in their technical magic so I have no idea if this conversion is even possible for BMax, or how hard it might be... And semi related, garbage collection is being depreciated on OS X in favor of ARC. While this is AWSOME in many many ways, I suspect this too could be potentially fatal to BMax on the mac as it is built entirely around GC and I don't think the ARC auto processing will apply... I may have misinterpreted some of this, and again I don't know too much about the command line voodoo that makes bmax work, so please correct if someone has some more solid facts or experience. |
| ||
| ARC isn't a technology that really applies outside of Objective-C, as it relies on static analysis performed by Clang (not by LLVM itself, and not at runtime by some OSX component). BlitzMax never used the particular GC system being deprecated anyway (OK technically it did, but only briefly and not in single-threaded mode), which is/was a tracing GC: the original ref-counting BlitzMax GC is (at least conceptually) similar to ARC already. |
| ||
| Thanks Yasha! Good to know the arc conversion shouldn't kill anything since it wasn't using the native GC. Any insight on the possibility of converting from GCC to LLVM? That's really the core nugget of getting sandboxing working to my understanding. |
| ||
| Well handily Clang is designed to be a "drop-in" replacement for GCC, so all of the same command-line options and so forth will be recognised, and either do the same things or safely do nothing. As a result, replacing GCC with Clang should be easy for anyone who knows the dark arts of modifying bmk (which is not me, sadly). It's certainly possible: people have managed to make BlitzMax use MSVC in the past, so Clang should be trivial by comparison. (Side note: LLVM isn't a C compiler, it's an optimiser/assembler backend only. The distinction is important because Apple have used more than one compiler targeting LLVM in the past, and all but Clang are now severely deprecated.) |
| ||
| excellent to note. So in theory it should be possible to modify bmk into including an entitlements file if available thus setting it all up for sandboxing... if only Brucy were around to bribe and beg... |
   |