Darwin sandbox: Use sandbox-defaults.sb
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
This commit is contained in:
parent
53a1644187
commit
acc889c821
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -48,8 +48,8 @@ perl/Makefile.config
|
||||||
/src/libexpr/nix.tbl
|
/src/libexpr/nix.tbl
|
||||||
|
|
||||||
# /src/libstore/
|
# /src/libstore/
|
||||||
/src/libstore/schema.sql.hh
|
/src/libstore/schema.sql.gen.hh
|
||||||
/src/libstore/sandbox-defaults.sb
|
/src/libstore/sandbox-defaults.sb.gen.hh
|
||||||
|
|
||||||
/src/nix/nix
|
/src/nix/nix
|
||||||
|
|
||||||
|
|
|
@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
|
||||||
sandboxProfile += "(deny default (with no-log))\n";
|
sandboxProfile += "(deny default (with no-log))\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Disallow creating setuid/setgid binaries, since that
|
sandboxProfile +=
|
||||||
would allow breaking build user isolation. */
|
#include "sandbox-defaults.sb.gen.hh"
|
||||||
sandboxProfile += "(deny file-write-setugid)\n";
|
;
|
||||||
|
|
||||||
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
|
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
|
||||||
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
|
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
|
||||||
|
|
|
@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create)
|
||||||
/* Initialise the database schema, if necessary. */
|
/* Initialise the database schema, if necessary. */
|
||||||
if (create) {
|
if (create) {
|
||||||
const char * schema =
|
const char * schema =
|
||||||
#include "schema.sql.hh"
|
#include "schema.sql.gen.hh"
|
||||||
;
|
;
|
||||||
db.exec(schema);
|
db.exec(schema);
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,12 +34,16 @@ libstore_CXXFLAGS = \
|
||||||
-DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
|
-DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
|
||||||
-DLSOF=\"$(lsof)\"
|
-DLSOF=\"$(lsof)\"
|
||||||
|
|
||||||
$(d)/local-store.cc: $(d)/schema.sql.hh
|
$(d)/local-store.cc: $(d)/schema.sql.gen.hh
|
||||||
|
|
||||||
%.sql.hh: %.sql
|
$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh
|
||||||
$(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1)
|
|
||||||
|
|
||||||
clean-files += $(d)/schema.sql.hh
|
%.gen.hh: %
|
||||||
|
echo 'R"foo(' >> $@.tmp
|
||||||
|
cat $< >> $@.tmp
|
||||||
|
echo ')foo"' >> $@.tmp
|
||||||
|
mv $@.tmp $@
|
||||||
|
|
||||||
|
clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh
|
||||||
|
|
||||||
$(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))
|
$(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))
|
||||||
$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644))
|
|
||||||
|
|
|
@ -28,15 +28,10 @@
|
||||||
(allow file-read-metadata
|
(allow file-read-metadata
|
||||||
(literal "/var")
|
(literal "/var")
|
||||||
(literal "/tmp")
|
(literal "/tmp")
|
||||||
; symlinks
|
|
||||||
(literal "@sysconfdir@")
|
|
||||||
(literal "@sysconfdir@/nix")
|
|
||||||
(literal "@sysconfdir@/nix/nix.conf")
|
|
||||||
(literal "/etc/resolv.conf")
|
(literal "/etc/resolv.conf")
|
||||||
(literal "/private/etc/resolv.conf"))
|
(literal "/private/etc/resolv.conf"))
|
||||||
|
|
||||||
(allow file-read*
|
(allow file-read*
|
||||||
(literal "/private@sysconfdir@/nix/nix.conf")
|
|
||||||
(literal "/private/var/run/resolv.conf"))
|
(literal "/private/var/run/resolv.conf"))
|
||||||
|
|
||||||
; some builders use filehandles other than stdin/stdout
|
; some builders use filehandles other than stdin/stdout
|
||||||
|
@ -61,3 +56,7 @@
|
||||||
|
|
||||||
; allow local networking
|
; allow local networking
|
||||||
(allow network* (local ip) (remote unix-socket))
|
(allow network* (local ip) (remote unix-socket))
|
||||||
|
|
||||||
|
; Disallow creating setuid/setgid binaries, since that
|
||||||
|
; would allow breaking build user isolation.
|
||||||
|
(deny file-write-setugid)
|
Loading…
Reference in a new issue