Move macOS sandbox files to sr/libstore/build

author: Eelco Dolstra <edolstra@gmail.com> 2023-01-04 04:50:45 -0800
committer: Eelco Dolstra <edolstra@gmail.com> 2023-01-04 04:50:45 -0800
commit: 6991e558ddaaf037954741830078f933a36ec2f2 (patch)
tree: c9bfd34467940bde45a917ddf78f2c1e9ffe0bf0 /src/libstore/build/sandbox-minimal.sb
parent: 609a7dc05974c9f86b2e7304762b9e01c5879380 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/libstore/build/sandbox-minimal.sb b/src/libstore/build/sandbox-minimal.sb
new file mode 100644
index 000000000..976a1f636
--- /dev/null
+++ b/src/libstore/build/sandbox-minimal.sb
@@ -0,0 +1,9 @@
+R""(
+
+(allow default)
+
+; Disallow creating setuid/setgid binaries, since that
+; would allow breaking build user isolation.
+(deny file-write-setugid)
+
+)""
author	Eelco Dolstra <edolstra@gmail.com>	2023-01-04 04:50:45 -0800
committer	Eelco Dolstra <edolstra@gmail.com>	2023-01-04 04:50:45 -0800
commit	6991e558ddaaf037954741830078f933a36ec2f2 (patch)
tree	c9bfd34467940bde45a917ddf78f2c1e9ffe0bf0 /src/libstore/build/sandbox-minimal.sb
parent	609a7dc05974c9f86b2e7304762b9e01c5879380 (diff)