aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--corepkgs/buildenv.nix18
-rw-r--r--release.nix5
2 files changed, 19 insertions, 4 deletions
diff --git a/corepkgs/buildenv.nix b/corepkgs/buildenv.nix
index b4946457f..ab1ce13f2 100644
--- a/corepkgs/buildenv.nix
+++ b/corepkgs/buildenv.nix
@@ -23,10 +23,20 @@ derivation {
# network traffic, so don't do that.
preferLocalBuild = true;
- __impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [
- "/usr/lib/libSystem.dylib"
- "/usr/lib/system"
- ] else null;
+ __sandboxProfile = ''
+ (allow sysctl-read)
+ (allow file-read*
+ (literal "/usr/lib/libSystem.dylib")
+ (literal "/usr/lib/libSystem.B.dylib")
+ (literal "/usr/lib/libobjc.A.dylib")
+ (literal "/usr/lib/libobjc.dylib")
+ (literal "/usr/lib/libauto.dylib")
+ (literal "/usr/lib/libc++abi.dylib")
+ (literal "/usr/lib/libc++.1.dylib")
+ (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
+ (subpath "/usr/lib/system")
+ (subpath "/dev"))
+ '';
inherit chrootDeps;
}
diff --git a/release.nix b/release.nix
index 4269a3f76..cb391d0ff 100644
--- a/release.nix
+++ b/release.nix
@@ -97,6 +97,11 @@ let
enableParallelBuilding = true;
+ __sandboxProfile = lib.sandbox.allowNetwork
+ + lib.sandbox.allowFileRead {
+ literal = [ "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" ];
+ };
+
makeFlags = "profiledir=$(out)/etc/profile.d";
preBuild = "unset NIX_INDENT_MAKE";