diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30 17:40:12 +0200 |
|---|---|---|
| committer | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30 17:40:12 +0200 |
| commit | acc889c82179e96537ebe1494ec13b9536d579ca (patch) | |
| tree | eeff56d8de6984cdbfe8dd661de9fb6d14c1d8a8 /src/libstore/sandbox-defaults.sb | |
| parent | 53a16441878ebd4a5ac6ef8a95a649bfd521da3d (diff) | |
Darwin sandbox: Use sandbox-defaults.sb
Issue #759.
Also, remove nix.conf from the sandbox since I don't really see a
legitimate reason for builders to access the Nix configuration.
Diffstat (limited to 'src/libstore/sandbox-defaults.sb')
| -rw-r--r-- | src/libstore/sandbox-defaults.sb | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb new file mode 100644 index 000000000..6bd15603e --- /dev/null +++ b/src/libstore/sandbox-defaults.sb @@ -0,0 +1,62 @@ +(allow file-read* file-write-data (literal "/dev/null")) +(allow ipc-posix*) +(allow mach-lookup (global-name "com.apple.SecurityServer")) + +(allow file-read* + (literal "/dev/dtracehelper") + (literal "/dev/tty") + (literal "/dev/autofs_nowait") + (literal "/System/Library/CoreServices/SystemVersion.plist") + (literal "/private/var/run/systemkeychaincheck.done") + (literal "/private/etc/protocols") + (literal "/private/var/tmp") + (literal "/private/var/db") + (subpath "/private/var/db/mds")) + +(allow file-read* + (subpath "/usr/share/icu") + (subpath "/usr/share/locale") + (subpath "/usr/share/zoneinfo")) + +(allow file-write* + (literal "/dev/tty") + (literal "/dev/dtracehelper") + (literal "/mds")) + +(allow file-ioctl (literal "/dev/dtracehelper")) + +(allow file-read-metadata + (literal "/var") + (literal "/tmp") + (literal "/etc/resolv.conf") + (literal "/private/etc/resolv.conf")) + +(allow file-read* + (literal "/private/var/run/resolv.conf")) + +; some builders use filehandles other than stdin/stdout +(allow file* + (subpath "/dev/fd") + (literal "/dev/ptmx") + (regex #"^/dev/[pt]ty.*$")) + +; allow everything inside TMP +(allow file* process-exec + (subpath (param "_GLOBAL_TMP_DIR")) + (subpath "/private/tmp")) + +(allow process-fork) +(allow sysctl-read) +(allow signal (target same-sandbox)) + +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + +; allow local networking +(allow network* (local ip) (remote unix-socket)) + +; Disallow creating setuid/setgid binaries, since that +; would allow breaking build user isolation. +(deny file-write-setugid) |