From e770f941d612922a19fae0dd7552a47a64751c42 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Tue, 29 Sep 2015 09:03:45 -0700 Subject: [PATCH] make sandbox builds more permissive --- src/libstore/build.cc | 4 ++-- src/libutil/util.cc | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 983aba938..b11b04638 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -59,7 +59,7 @@ /* chroot-like behavior from Apple's sandbox */ #if __APPLE__ #define SANDBOX_ENABLED 1 - #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh" + #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/" #else #define SANDBOX_ENABLED 0 #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin" @@ -2451,7 +2451,7 @@ void DerivationGoal::runChild() sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n"; - sandboxProfile += "(allow ipc-posix-shm*)\n"; + sandboxProfile += "(allow ipc-posix-shm* ipc-posix-sem)\n"; sandboxProfile += "(allow mach-lookup\n" "\t(global-name \"com.apple.SecurityServer\")\n" diff --git a/src/libutil/util.cc b/src/libutil/util.cc index 11c75d2cd..178f78bde 100644 --- a/src/libutil/util.cc +++ b/src/libutil/util.cc @@ -167,10 +167,11 @@ string baseNameOf(const Path & path) bool isInDir(const Path & path, const Path & dir) { - return path[0] == '/' - && string(path, 0, dir.size()) == dir - && path.size() >= dir.size() + 2 - && path[dir.size()] == '/'; + return dir == "/" + || (path[0] == '/' + && string(path, 0, dir.size()) == dir + && path.size() >= dir.size() + 2 + && path[dir.size()] == '/'); }