Darwin sandbox: Use sandbox-defaults.sb
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
This commit is contained in:
Eelco Dolstra
parent
53a1644187
commit
acc889c821
5 changed files with 19 additions and 16 deletions
4
.gitignore
vendored
4
.gitignore
vendored
|
|
@ -48,8 +48,8 @@ perl/Makefile.config
|
|||
/src/libexpr/nix.tbl
|
||||
|
||||
# /src/libstore/
|
||||
/src/libstore/schema.sql.hh
|
||||
/src/libstore/sandbox-defaults.sb
|
||||
/src/libstore/schema.sql.gen.hh
|
||||
/src/libstore/sandbox-defaults.sb.gen.hh
|
||||
|
||||
/src/nix/nix
|
||||
|
||||
|
|
|
|||
|
|
@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
|
|||
sandboxProfile += "(deny default (with no-log))\n";
|
||||
}
|
||||
|
||||
/* Disallow creating setuid/setgid binaries, since that
|
||||
would allow breaking build user isolation. */
|
||||
sandboxProfile += "(deny file-write-setugid)\n";
|
||||
sandboxProfile +=
|
||||
#include "sandbox-defaults.sb.gen.hh"
|
||||
;
|
||||
|
||||
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
|
||||
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
|
||||
|
|
|
|||
|
|
@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create)
|
|||
/* Initialise the database schema, if necessary. */
|
||||
if (create) {
|
||||
const char * schema =
|
||||
#include "schema.sql.hh"
|
||||
#include "schema.sql.gen.hh"
|
||||
;
|
||||
db.exec(schema);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,12 +34,16 @@ libstore_CXXFLAGS = \
|
|||
-DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
|
||||
-DLSOF=\"$(lsof)\"
|
||||
|
||||
$(d)/local-store.cc: $(d)/schema.sql.hh
|
||||
$(d)/local-store.cc: $(d)/schema.sql.gen.hh
|
||||
|
||||
%.sql.hh: %.sql
|
||||
$(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1)
|
||||
$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh
|
||||
|
||||
clean-files += $(d)/schema.sql.hh
|
||||
%.gen.hh: %
|
||||
echo 'R"foo(' >> $@.tmp
|
||||
cat $< >> $@.tmp
|
||||
echo ')foo"' >> $@.tmp
|
||||
mv $@.tmp $@
|
||||
|
||||
clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh
|
||||
|
||||
$(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))
|
||||
$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644))
|
||||
|
|
|
|||
|
|
@ -28,15 +28,10 @@
|
|||
(allow file-read-metadata
|
||||
(literal "/var")
|
||||
(literal "/tmp")
|
||||
; symlinks
|
||||
(literal "@sysconfdir@")
|
||||
(literal "@sysconfdir@/nix")
|
||||
(literal "@sysconfdir@/nix/nix.conf")
|
||||
(literal "/etc/resolv.conf")
|
||||
(literal "/private/etc/resolv.conf"))
|
||||
|
||||
(allow file-read*
|
||||
(literal "/private@sysconfdir@/nix/nix.conf")
|
||||
(literal "/private/var/run/resolv.conf"))
|
||||
|
||||
; some builders use filehandles other than stdin/stdout
|
||||
|
|
@ -61,3 +56,7 @@
|
|||
|
||||
; allow local networking
|
||||
(allow network* (local ip) (remote unix-socket))
|
||||
|
||||
; Disallow creating setuid/setgid binaries, since that
|
||||
; would allow breaking build user isolation.
|
||||
(deny file-write-setugid)
|
||||
Loading…
Add table
Add a link
Reference in a new issue