maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Always use the Darwin sandbox

Browse source 
Even with "build-use-sandbox = false", we now use sandboxing with a
permissive profile that allows everything except the creation of
setuid/setgid binaries.
This commit is contained in:
Eelco Dolstra 2017-06-06 18:44:49 +02:00
parent d3f780996c
commit 85e93d7b87
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
5 changed files with 100 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/libstore/sandbox-defaults.sb
View file

@ -1,5 +1,7 @@
(define TMPDIR (param "_GLOBAL_TMP_DIR"))
(deny default)
; Disallow creating setuid/setgid binaries, since that
; would allow breaking build user isolation.
(deny file-write-setugid)