Darwin sandbox: Use sandbox-defaults.sb
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
This commit is contained in:
Eelco Dolstra
parent
53a1644187
commit
acc889c821
5 changed files with 19 additions and 16 deletions
62
src/libstore/sandbox-defaults.sb
Normal file
62
src/libstore/sandbox-defaults.sb
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
(allow file-read* file-write-data (literal "/dev/null"))
|
||||
(allow ipc-posix*)
|
||||
(allow mach-lookup (global-name "com.apple.SecurityServer"))
|
||||
|
||||
(allow file-read*
|
||||
(literal "/dev/dtracehelper")
|
||||
(literal "/dev/tty")
|
||||
(literal "/dev/autofs_nowait")
|
||||
(literal "/System/Library/CoreServices/SystemVersion.plist")
|
||||
(literal "/private/var/run/systemkeychaincheck.done")
|
||||
(literal "/private/etc/protocols")
|
||||
(literal "/private/var/tmp")
|
||||
(literal "/private/var/db")
|
||||
(subpath "/private/var/db/mds"))
|
||||
|
||||
(allow file-read*
|
||||
(subpath "/usr/share/icu")
|
||||
(subpath "/usr/share/locale")
|
||||
(subpath "/usr/share/zoneinfo"))
|
||||
|
||||
(allow file-write*
|
||||
(literal "/dev/tty")
|
||||
(literal "/dev/dtracehelper")
|
||||
(literal "/mds"))
|
||||
|
||||
(allow file-ioctl (literal "/dev/dtracehelper"))
|
||||
|
||||
(allow file-read-metadata
|
||||
(literal "/var")
|
||||
(literal "/tmp")
|
||||
(literal "/etc/resolv.conf")
|
||||
(literal "/private/etc/resolv.conf"))
|
||||
|
||||
(allow file-read*
|
||||
(literal "/private/var/run/resolv.conf"))
|
||||
|
||||
; some builders use filehandles other than stdin/stdout
|
||||
(allow file*
|
||||
(subpath "/dev/fd")
|
||||
(literal "/dev/ptmx")
|
||||
(regex #"^/dev/[pt]ty.*$"))
|
||||
|
||||
; allow everything inside TMP
|
||||
(allow file* process-exec
|
||||
(subpath (param "_GLOBAL_TMP_DIR"))
|
||||
(subpath "/private/tmp"))
|
||||
|
||||
(allow process-fork)
|
||||
(allow sysctl-read)
|
||||
(allow signal (target same-sandbox))
|
||||
|
||||
; allow getpwuid (for git and other packages)
|
||||
(allow mach-lookup
|
||||
(global-name "com.apple.system.notification_center")
|
||||
(global-name "com.apple.system.opendirectoryd.libinfo"))
|
||||
|
||||
; allow local networking
|
||||
(allow network* (local ip) (remote unix-socket))
|
||||
|
||||
; Disallow creating setuid/setgid binaries, since that
|
||||
; would allow breaking build user isolation.
|
||||
(deny file-write-setugid)
|
||||
Loading…
Add table
Add a link
Reference in a new issue