diff options
author | Daiderd Jordan <daiderd@gmail.com> | 2020-03-20 21:31:20 +0100 |
---|---|---|
committer | Daiderd Jordan <daiderd@gmail.com> | 2020-03-20 21:31:20 +0100 |
commit | 7f2df903d91cd21ab05223344ee4dec0a7d52c41 (patch) | |
tree | a27cdff5df097d93315bb397cca0bb86becc6153 /src/libstore | |
parent | afb78ebd34bff9a701d70041abc2ff211390584e (diff) |
libstore: relax default sandbox-paths on darwin
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/globals.cc | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index a8945996e..1a2fcbe22 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -20,13 +20,6 @@ namespace nix { must be deleted and recreated on startup.) */ #define DEFAULT_SOCKET_PATH "/daemon-socket/socket" -/* chroot-like behavior from Apple's sandbox */ -#if __APPLE__ - #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh" -#else - #define DEFAULT_ALLOWED_IMPURE_PREFIXES "" -#endif - Settings settings; static GlobalConfig::Register r1(&settings); @@ -68,7 +61,12 @@ Settings::Settings() sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL); #endif - allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES); + +/* chroot-like behavior from Apple's sandbox */ +#if __APPLE__ + sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /private/tmp /private/var/tmp /usr/lib"); + allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh"); +#endif } void loadConfFile() |