aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/sandbox-defaults.sb
AgeCommit message (Collapse)Author
2021-09-15sandbox: allow Rosetta 2 on DarwinEmily
This allows sandboxed x86_64-darwin builds on aarch64-darwin.
2021-05-17sandbox: allow SystemVersionCompat.plist on DarwinEmily
For whatever reason, many programs trying to access SystemVersion.plist also open SystemVersionCompat.plist; this includes Python code and coreutils’ `cat(1)` (but not the native macOS `/bin/cat`). Illustratory `dtruss(1m)` output: open("/System/Library/CoreServices/SystemVersion.plist\0", 0x0, 0x0) = 3 0 open("/System/Library/CoreServices/SystemVersionCompat.plist\0", 0x0, 0x0) = 4 0 I assume this is a Big Sur change relating to the 10.16.x/11.x version compatibility divide and that it’s something along the lines of a hook inside libSystem. Fixes a lot of sandboxed package builds under Big Sur.
2020-03-20sandbox: fix /bin/sh on catalinaDaiderd Jordan
Sadly 10.15 changed /bin/sh to a shim which executes bash, this means it can't be used anymore without also opening up the sandbox to allow bash. Failed to exec /bin/bash as variant for /bin/sh (1: Operation not permitted).
2020-03-20sandbox: allow pty devicesDaiderd Jordan
Nix now runs builds with a pseudo-terminal to enable colored build output.
2017-11-08Remove extraneous commentEelco Dolstra
2017-11-08Merge pull request #1650 from copumpkin/darwin-sandbox-unix-socketEelco Dolstra
Always allow builds to use unix domain sockets in Darwin sandbox
2017-11-03Allow getpwuid in the darwin sandbox.Daiderd Jordan
2017-10-31Always allow builds to use unix domain sockets in Darwin sandboxDan Peebles
2017-10-30Allow optional localhost network access to sandboxed derivationsDan Peebles
This will allow bind and connect to 127.0.0.1, which can reduce purity/ security (if you're running a vulnerable service on localhost) but is also needed for a ton of test suites, so I'm leaving it turned off by default but allowing certain derivations to turn it on as needed. It also allows DNS resolution of arbitrary hostnames but I haven't found a way to avoid that. In principle I'd just want to allow resolving localhost but that doesn't seem to be possible. I don't think this belongs under `build-use-sandbox = relaxed` because we want it on Hydra and I don't think it's the end of the world.
2017-06-06Always use the Darwin sandboxEelco Dolstra
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-05-31OS X sandbox: Improve builtin sandbox profileEelco Dolstra
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-30Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.