forked from lix-project/lix
manual: note that __sandboxProfile allows bypassing the darwin sandbox
(but only if it is set to relaxed. no security hole here.)
Thanks to lilyball for pointing out this omission in the docs.
Change-Id: I2408a943bfe817fe660fe1c8fefef898aaf5f7e9
This commit is contained in:
parent
a510d17484
commit
bb161a96cf
|
@ -36,7 +36,10 @@ All users of the Lix daemon may do the following to bring things into the Nix st
|
||||||
- Input-addressed, so they are run in the sandbox with no network access, with the following exceptions:
|
- Input-addressed, so they are run in the sandbox with no network access, with the following exceptions:
|
||||||
|
|
||||||
- The (poorly named, since it is not *just* about chroot) property `__noChroot` is set on the derivation and `sandbox` is set to `relaxed`.
|
- The (poorly named, since it is not *just* about chroot) property `__noChroot` is set on the derivation and `sandbox` is set to `relaxed`.
|
||||||
- On macOS, the derivation property `__darwinAllowLocalNetworking` allows network access to localhost from input-addressed derivations regardless of the `sandbox` setting value. This property exists with such semantics because macOS has no network namespace equivalent to isolate individual processes' localhost networking.
|
- On macOS, the derivation property `__darwinAllowLocalNetworking` allows network access to localhost from input-addressed derivations regardless of the `sandbox` setting value.
|
||||||
|
This property exists with such semantics because macOS has no network namespace equivalent to isolate individual processes' localhost networking.
|
||||||
|
- On macOS, the derivation property `__sandboxProfile` accepts extra sandbox profile S-expressions, allowing derivations to bypass arbitrary parts of the sandbox without altogether disabling it.
|
||||||
|
This is only permitted when `sandbox` is set to `relaxed`.
|
||||||
- Output-addressed, so they are run with network access but their result must match an expected hash.
|
- Output-addressed, so they are run with network access but their result must match an expected hash.
|
||||||
|
|
||||||
Trusted users may set any setting, including `sandbox = false`, so the sandbox state can be different at runtime from what is described in `nix.conf` for builds invoked with such settings.
|
Trusted users may set any setting, including `sandbox = false`, so the sandbox state can be different at runtime from what is described in `nix.conf` for builds invoked with such settings.
|
||||||
|
|
Loading…
Reference in a new issue