[kochbeck]

I haven't delved deeply into the problem they're describing here, but it seems like I haven't really heard any very creative solutions to this.

For instance, can you still create a named pipe inside the sandbox that the parent process can have the right to use? Write to it, then you could just have a consumer that takes the output of that process and writes it to an imposed directory structure in SQLite blobs in a data store that the parent also owns. You'd lose some key functionality unless you chunked the data a bit. And, you know, mmap() would be impossible to simulate, but nobody ever promised a reliable implementation of that.

It confuses me, because I've seen a handful of these worries expressed, and it seems like a bunch of traditional UNIX-y methods for dealing with these kinds of problems are still open. I don't know what all the rules are, because I haven't really seriously looked at it, but I can think of at least three old UNIX tricks off the top of my head that probably solve this concern acceptably for 80% of apps that have it - you could use named pipes; you could redirect output to a third process like netcat that connects back to a handler process via a domain socket and deals with it; the parent could open a shm segment and maintain a DMA-like sweeper that takes blocks off, puts them into files it owns, and keeps its own little virtual FS.

I know none of those is straight fopen(), but somebody would only have to write it one time. Seems like a classic my-current-filesystem-is-mounted-ro problem. That used to be a pretty everyday occurrence, and any old sys admin has 100 workarounds for it.

And remember before you squawk about chunked byte streams being inserted into blobs: there's 15 years of Oracle Video Server delivering PPV porn to the hotelier masses that says it works fine.

[jawaddeo]

I seriously doubt any such attempts to sidestep will succeed in a world where the problems is not just technical (you may be able to fool the sandbox enforcing system), but a matter of getting your app approved, not just once but with every update, small or large.

The added complication is that in this case LaTeX itself decides to spawn a few calls to various utilities it uses under the hood. Those attempts will simply be blocked by the OS inside the sandbox. So you won't be able to typeset successfully.

[dagw]

Sure any sandbox can probably be broken out of by sufficiently creative and determined hacker, but do you really want to bet your company on the fact that Apple won't at some point down the road close those loopholes or ban your app for exploiting them. And do you really want to be stuck in a situation where you have to spend effort not only on writing your app, but on continuously fighting against the platform your app is running on.