87 lines
2.8 KiB
Text
87 lines
2.8 KiB
Text
(define TMPDIR (param "_GLOBAL_TMP_DIR"))
|
|
|
|
(deny default)
|
|
|
|
; Disallow creating setuid/setgid binaries, since that
|
|
; would allow breaking build user isolation.
|
|
(deny file-write-setugid)
|
|
|
|
; Allow forking.
|
|
(allow process-fork)
|
|
|
|
; Allow reading system information like #CPUs, etc.
|
|
(allow sysctl-read)
|
|
|
|
; Allow POSIX semaphores and shared memory.
|
|
(allow ipc-posix*)
|
|
|
|
; Allow socket creation.
|
|
(allow system-socket)
|
|
|
|
; Allow sending signals within the sandbox.
|
|
(allow signal (target same-sandbox))
|
|
|
|
; Access to /tmp.
|
|
; The network-outbound/network-inbound ones are for unix domain sockets, which
|
|
; we allow access to in TMPDIR (but if we allow them more broadly, you could in
|
|
; theory escape the sandbox)
|
|
(allow file* process-exec network-outbound network-inbound
|
|
(literal "/tmp") (subpath TMPDIR))
|
|
|
|
; Always allow unix domain sockets, since they can't hurt purity or security
|
|
|
|
|
|
; Some packages like to read the system version.
|
|
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
|
|
|
|
; Without this line clang cannot write to /dev/null, breaking some configure tests.
|
|
(allow file-read-metadata (literal "/dev"))
|
|
|
|
; Many packages like to do local networking in their test suites, but let's only
|
|
; allow it if the package explicitly asks for it.
|
|
(if (param "_ALLOW_LOCAL_NETWORKING")
|
|
(begin
|
|
(allow network* (local ip) (local tcp) (local udp))
|
|
|
|
; Allow access to /etc/resolv.conf (which is a symlink to
|
|
; /private/var/run/resolv.conf).
|
|
; TODO: deduplicate with sandbox-network.sb
|
|
(allow file-read-metadata
|
|
(literal "/var")
|
|
(literal "/etc")
|
|
(literal "/etc/resolv.conf")
|
|
(literal "/private/etc/resolv.conf"))
|
|
|
|
(allow file-read*
|
|
(literal "/private/var/run/resolv.conf"))
|
|
|
|
; Allow DNS lookups. This is even needed for localhost, which lots of tests rely on
|
|
(allow file-read-metadata (literal "/etc/hosts"))
|
|
(allow file-read* (literal "/private/etc/hosts"))
|
|
(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))))
|
|
|
|
; Standard devices.
|
|
(allow file*
|
|
(literal "/dev/null")
|
|
(literal "/dev/random")
|
|
(literal "/dev/stdin")
|
|
(literal "/dev/stdout")
|
|
(literal "/dev/tty")
|
|
(literal "/dev/urandom")
|
|
(literal "/dev/zero")
|
|
(subpath "/dev/fd"))
|
|
|
|
; Does nothing, but reduces build noise.
|
|
(allow file* (literal "/dev/dtracehelper"))
|
|
|
|
; Allow access to zoneinfo since libSystem needs it.
|
|
(allow file-read* (subpath "/usr/share/zoneinfo"))
|
|
|
|
(allow file-read* (subpath "/usr/share/locale"))
|
|
|
|
; This is mostly to get more specific log messages when builds try to
|
|
; access something in /etc or /var.
|
|
(allow file-read-metadata
|
|
(literal "/etc")
|
|
(literal "/var")
|
|
(literal "/private/var/tmp"))
|