From 559a504da7d4289badfb4ebf7906f80fbf50bedf Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 17 May 2021 00:15:30 +0100 Subject: [PATCH] sandbox: allow SystemVersionCompat.plist on Darwin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For whatever reason, many programs trying to access SystemVersion.plist also open SystemVersionCompat.plist; this includes Python code and coreutils’ `cat(1)` (but not the native macOS `/bin/cat`). Illustratory `dtruss(1m)` output: open("/System/Library/CoreServices/SystemVersion.plist\0", 0x0, 0x0) = 3 0 open("/System/Library/CoreServices/SystemVersionCompat.plist\0", 0x0, 0x0) = 4 0 I assume this is a Big Sur change relating to the 10.16.x/11.x version compatibility divide and that it’s something along the lines of a hook inside libSystem. Fixes a lot of sandboxed package builds under Big Sur. --- src/libstore/sandbox-defaults.sb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb index 351037822..2bb1ea130 100644 --- a/src/libstore/sandbox-defaults.sb +++ b/src/libstore/sandbox-defaults.sb @@ -32,7 +32,9 @@ (literal "/tmp") (subpath TMPDIR)) ; Some packages like to read the system version. -(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) +(allow file-read* + (literal "/System/Library/CoreServices/SystemVersion.plist") + (literal "/System/Library/CoreServices/SystemVersionCompat.plist")) ; Without this line clang cannot write to /dev/null, breaking some configure tests. (allow file-read-metadata (literal "/dev"))