OS X sandbox: Improve builtin sandbox profile
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
This commit is contained in:
Eelco Dolstra
parent
5ea8161b55
commit
c96e8cd097
5 changed files with 85 additions and 67 deletions
16
src/libstore/sandbox-network.sb
Normal file
16
src/libstore/sandbox-network.sb
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
; Allow local and remote network traffic.
|
||||
(allow network* (local ip) (remote ip))
|
||||
|
||||
; Allow access to /etc/resolv.conf (which is a symlink to
|
||||
; /private/var/run/resolv.conf).
|
||||
(allow file-read-metadata
|
||||
(literal "/var")
|
||||
(literal "/etc")
|
||||
(literal "/etc/resolv.conf")
|
||||
(literal "/private/etc/resolv.conf"))
|
||||
|
||||
(allow file-read*
|
||||
(literal "/private/var/run/resolv.conf"))
|
||||
|
||||
; Allow DNS lookups.
|
||||
(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
|
||||
Loading…
Add table
Add a link
Reference in a new issue