Josh --

Thanks for the interest!
Dia works on the operating system level by using features exposed by the 
Mac OSX header "sandbox.h" .. The most restrictive profile you can use 
is Dia::Profiles::NO_OS_SERVICES, and this disallows all operating 
system services.

If you were to setup a sandbox like you were talking about, I'd suggest 
this profile.

You won't be able to:

* Read from the filesystem
* Write to the filesystem
* Access the internet
* Do any kind of socket based communication
* fork()

.. And the restrictions go on, I've probably missed a few.

I'll leave you with an example to give you some ideas:

  sandbox = Dia::Sandbox(Dia::Profiles::NO_OS_SERVICES) do
    open(URI.parse('http://www.google.com')).read
  end

  # Child process is spawned.
  # Ruby block is executed.
  # An attempt to access the internet encountered, and a subclass of 
SystemCallError(Errno::EPERM) raised.
  sandbox.run

If you have any question, please ask.

Thanks,
Rob



-- 
Posted via http://www.ruby-forum.com/.