Merge remote-tracking branch 'origin/master' into flakes

author: Eelco Dolstra <edolstra@gmail.com> 2020-03-23 13:27:54 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2020-03-23 13:27:54 +0100
commit: 7abe3bde8ade2941ca8a3dbb2b73b8cc9de2b1a1 (patch)
tree: c73ce56fe1bd47a5474bb2a51051aae1255f2a69 /src/libstore
parent: 4e67f89f380d97bab4018480e349d18e3850436f (diff)
parent: 160edd3f5d55bbe7e396c08f35e7b80bc1905e6b (diff)
3 files changed, 17 insertions, 14 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index a8945996e..7e97f3c22 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -20,13 +20,6 @@ namespace nix {
    must be deleted and recreated on startup.) */
 #define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
 
-/* chroot-like behavior from Apple's sandbox */
-#if __APPLE__
-    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
-#else
-    #define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
-#endif
-
 Settings settings;
 
 static GlobalConfig::Register r1(&settings);
@@ -68,7 +61,12 @@ Settings::Settings()
     sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
 #endif
 
-    allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
+
+/* chroot-like behavior from Apple's sandbox */
+#if __APPLE__
+    sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib");
+    allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh");
+#endif
 }
 
 void loadConfFile()
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index d0500be22..41bbed33f 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -311,12 +311,7 @@ public:
     Setting<bool> printMissing{this, true, "print-missing",
         "Whether to print what paths need to be built or downloaded."};
 
-    Setting<std::string> preBuildHook{this,
-#if __APPLE__
-        nixLibexecDir + "/nix/resolve-system-dependencies",
-#else
-        "",
-#endif
+    Setting<std::string> preBuildHook{this, "",
         "pre-build-hook",
         "A program to run just before a build to set derivation-specific build settings."};
 
diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb
index 0299d1ee4..351037822 100644
--- a/src/libstore/sandbox-defaults.sb
+++ b/src/libstore/sandbox-defaults.sb
@@ -71,6 +71,12 @@
        (literal "/dev/zero")
        (subpath "/dev/fd"))
 
+; Allow pseudo-terminals.
+(allow file*
+       (literal "/dev/ptmx")
+       (regex #"^/dev/pty[a-z]+")
+       (regex #"^/dev/ttys[0-9]+"))
+
 ; Does nothing, but reduces build noise.
 (allow file* (literal "/dev/dtracehelper"))
 
@@ -85,3 +91,7 @@
        (literal "/etc")
        (literal "/var")
        (literal "/private/var/tmp"))
+
+; This is used by /bin/sh on macOS 10.15 and later.
+(allow file*
+       (literal "/private/var/select/sh"))
author	Eelco Dolstra <edolstra@gmail.com>	2020-03-23 13:27:54 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2020-03-23 13:27:54 +0100
commit	7abe3bde8ade2941ca8a3dbb2b73b8cc9de2b1a1 (patch)
tree	c73ce56fe1bd47a5474bb2a51051aae1255f2a69 /src/libstore
parent	4e67f89f380d97bab4018480e349d18e3850436f (diff)
parent	160edd3f5d55bbe7e396c08f35e7b80bc1905e6b (diff)