Enhance Mac OSX sandbox_init() ignoring.

If SANDBOX_INIT_ERROR_IGNORE is passed as "always" during the build, return values are now unilaterally ignored. Otherwise, the environment variable SANDBOX_INIT_ERROR_IGNORE must also be set. References #144
kristapsdz · Dec 31, 2024 · eec3dfe · eec3dfe
1 parent 06d21eb
commit eec3dfe
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -122,8 +122,18 @@ THUMBS		 = screen-mandoc.thumb.jpg \
 		   screen-groff.thumb.jpg \
 		   screen-term.thumb.jpg
 CFLAGS		+= -DVERSION=\"$(VERSION)\"
+# Hack around broken Mac OS X nested sandboxes.
+# If SANDBOX_INIT_ERROR_IGNORE is set to "always", errors from
+# sandbox_init() are ignored.  If set to anything else, the user must
+# also set SANDBOX_INIT_ERROR_IGNORE in their environment to ignore
+# failure.
+# Has no effect unless HAVE_SANDBOX_INIT is defined.
 .ifdef SANDBOX_INIT_ERROR_IGNORE
-CFLAGS		+= -DSANDBOX_INIT_ERROR_IGNORE=ignore
+.if $(SANDBOX_INIT_ERROR_IGNORE) == "always"
+CFLAGS		+= -DSANDBOX_INIT_ERROR_IGNORE=2
+.else
+CFLAGS		+= -DSANDBOX_INIT_ERROR_IGNORE=1
+.endif
 .endif
 # Because the objects will be compiled into a shared library:
 CFLAGS		+= -fPIC

diff --git a/main.c b/main.c
@@ -96,11 +96,17 @@ sandbox_post(int fdin, int fddin, int fdout)
 	 * and the SANDBOX_INIT_ERROR_IGNORE environment variable is
 	 * set, failure to create the sandbox will not cause the system
 	 * to fail.
+	 *
+	 * Alternatively, if SANDBOX_INIT_ERROR_IGNORE is 2, errors are
+	 * ignored all the time.
 	 */
+# if SANDBOX_INIT_ERROR_IGNORE == 2
+	return
+# else
 	if (getenv("SANDBOX_INIT_ERROR_IGNORE") != NULL)
 		return;
+# endif
 #endif
-
 	errx(1, "sandbox_init: %s", ep);
 }