aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/build/sandbox-network.sb
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstore/build/sandbox-network.sb')
-rw-r--r--src/libstore/build/sandbox-network.sb24
1 files changed, 24 insertions, 0 deletions
diff --git a/src/libstore/build/sandbox-network.sb b/src/libstore/build/sandbox-network.sb
new file mode 100644
index 000000000..335edbaed
--- /dev/null
+++ b/src/libstore/build/sandbox-network.sb
@@ -0,0 +1,24 @@
+R""(
+
+; Allow local and remote network traffic.
+(allow network* (local ip) (remote ip))
+
+; Allow access to /etc/resolv.conf (which is a symlink to
+; /private/var/run/resolv.conf).
+(allow file-read-metadata
+ (literal "/var")
+ (literal "/etc")
+ (literal "/etc/resolv.conf")
+ (literal "/private/etc/resolv.conf"))
+
+(allow file-read*
+ (literal "/private/var/run/resolv.conf"))
+
+; Allow DNS lookups.
+(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
+
+; Allow access to trustd.
+(allow mach-lookup (global-name "com.apple.trustd"))
+(allow mach-lookup (global-name "com.apple.trustd.agent"))
+
+)""
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 21:55:13 +0000