update sandbox profiles within nix
This commit is contained in:
parent
8a7f0dfd68
commit
22dfd023fa
|
@ -23,10 +23,20 @@ derivation {
|
|||
# network traffic, so don't do that.
|
||||
preferLocalBuild = true;
|
||||
|
||||
__impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [
|
||||
"/usr/lib/libSystem.dylib"
|
||||
"/usr/lib/system"
|
||||
] else null;
|
||||
__sandboxProfile = ''
|
||||
(allow sysctl-read)
|
||||
(allow file-read*
|
||||
(literal "/usr/lib/libSystem.dylib")
|
||||
(literal "/usr/lib/libSystem.B.dylib")
|
||||
(literal "/usr/lib/libobjc.A.dylib")
|
||||
(literal "/usr/lib/libobjc.dylib")
|
||||
(literal "/usr/lib/libauto.dylib")
|
||||
(literal "/usr/lib/libc++abi.dylib")
|
||||
(literal "/usr/lib/libc++.1.dylib")
|
||||
(literal "/usr/lib/libDiagnosticMessagesClient.dylib")
|
||||
(subpath "/usr/lib/system")
|
||||
(subpath "/dev"))
|
||||
'';
|
||||
|
||||
inherit chrootDeps;
|
||||
}
|
||||
|
|
|
@ -97,6 +97,11 @@ let
|
|||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
__sandboxProfile = lib.sandbox.allowNetwork
|
||||
+ lib.sandbox.allowFileRead {
|
||||
literal = [ "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" ];
|
||||
};
|
||||
|
||||
makeFlags = "profiledir=$(out)/etc/profile.d";
|
||||
|
||||
preBuild = "unset NIX_INDENT_MAKE";
|
||||
|
|
Loading…
Reference in a new issue