make sandbox builds more permissive

This commit is contained in:
Jude Taylor 2015-09-29 09:03:45 -07:00
parent 6dbc9e02ec
commit e770f941d6
2 changed files with 7 additions and 6 deletions

View file

@ -59,7 +59,7 @@
/* chroot-like behavior from Apple's sandbox */ /* chroot-like behavior from Apple's sandbox */
#if __APPLE__ #if __APPLE__
#define SANDBOX_ENABLED 1 #define SANDBOX_ENABLED 1
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh" #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/"
#else #else
#define SANDBOX_ENABLED 0 #define SANDBOX_ENABLED 0
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin" #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin"
@ -2451,7 +2451,7 @@ void DerivationGoal::runChild()
sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n"; sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n";
sandboxProfile += "(allow ipc-posix-shm*)\n"; sandboxProfile += "(allow ipc-posix-shm* ipc-posix-sem)\n";
sandboxProfile += "(allow mach-lookup\n" sandboxProfile += "(allow mach-lookup\n"
"\t(global-name \"com.apple.SecurityServer\")\n" "\t(global-name \"com.apple.SecurityServer\")\n"

View file

@ -167,10 +167,11 @@ string baseNameOf(const Path & path)
bool isInDir(const Path & path, const Path & dir) bool isInDir(const Path & path, const Path & dir)
{ {
return path[0] == '/' return dir == "/"
|| (path[0] == '/'
&& string(path, 0, dir.size()) == dir && string(path, 0, dir.size()) == dir
&& path.size() >= dir.size() + 2 && path.size() >= dir.size() + 2
&& path[dir.size()] == '/'; && path[dir.size()] == '/');
} }