aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
authorDaiderd Jordan <daiderd@gmail.com>2020-03-20 21:31:20 +0100
committerDaiderd Jordan <daiderd@gmail.com>2020-03-20 21:31:20 +0100
commit7f2df903d91cd21ab05223344ee4dec0a7d52c41 (patch)
treea27cdff5df097d93315bb397cca0bb86becc6153 /src/libstore
parentafb78ebd34bff9a701d70041abc2ff211390584e (diff)
libstore: relax default sandbox-paths on darwin
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/globals.cc14
1 files changed, 6 insertions, 8 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index a8945996e..1a2fcbe22 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -20,13 +20,6 @@ namespace nix {
must be deleted and recreated on startup.) */
#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
-/* chroot-like behavior from Apple's sandbox */
-#if __APPLE__
- #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
-#else
- #define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
-#endif
-
Settings settings;
static GlobalConfig::Register r1(&settings);
@@ -68,7 +61,12 @@ Settings::Settings()
sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
#endif
- allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
+
+/* chroot-like behavior from Apple's sandbox */
+#if __APPLE__
+ sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /private/tmp /private/var/tmp /usr/lib");
+ allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh");
+#endif
}
void loadConfFile()