maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Always allow builds to use unix domain sockets in Darwin sandbox

Browse source
This commit is contained in:
Dan Peebles 2017-10-31 13:16:51 +01:00
parent 72cd52c3cd
commit bc6b3f7e8f
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/libstore/sandbox-defaults.sb
View file

@ -22,7 +22,14 @@
(allow signal (target same-sandbox)) (allow signal (target same-sandbox))
; Access to /tmp. ; Access to /tmp.
(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) ; The network-outbound/network-inbound ones are for unix domain sockets, which
; we allow access to in TMPDIR (but if we allow them more broadly, you could in
; theory escape the sandbox)
(allow file* process-exec network-outbound network-inbound
(literal "/tmp") (subpath TMPDIR))
; Always allow unix domain sockets, since they can't hurt purity or security
; Some packages like to read the system version. ; Some packages like to read the system version.
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) (allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))