make sandbox builds more permissive
This commit is contained in:
parent
6dbc9e02ec
commit
e770f941d6
|
@ -59,7 +59,7 @@
|
||||||
/* chroot-like behavior from Apple's sandbox */
|
/* chroot-like behavior from Apple's sandbox */
|
||||||
#if __APPLE__
|
#if __APPLE__
|
||||||
#define SANDBOX_ENABLED 1
|
#define SANDBOX_ENABLED 1
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
|
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/"
|
||||||
#else
|
#else
|
||||||
#define SANDBOX_ENABLED 0
|
#define SANDBOX_ENABLED 0
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin"
|
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin"
|
||||||
|
@ -2451,7 +2451,7 @@ void DerivationGoal::runChild()
|
||||||
|
|
||||||
sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n";
|
sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n";
|
||||||
|
|
||||||
sandboxProfile += "(allow ipc-posix-shm*)\n";
|
sandboxProfile += "(allow ipc-posix-shm* ipc-posix-sem)\n";
|
||||||
|
|
||||||
sandboxProfile += "(allow mach-lookup\n"
|
sandboxProfile += "(allow mach-lookup\n"
|
||||||
"\t(global-name \"com.apple.SecurityServer\")\n"
|
"\t(global-name \"com.apple.SecurityServer\")\n"
|
||||||
|
|
|
@ -167,10 +167,11 @@ string baseNameOf(const Path & path)
|
||||||
|
|
||||||
bool isInDir(const Path & path, const Path & dir)
|
bool isInDir(const Path & path, const Path & dir)
|
||||||
{
|
{
|
||||||
return path[0] == '/'
|
return dir == "/"
|
||||||
&& string(path, 0, dir.size()) == dir
|
|| (path[0] == '/'
|
||||||
&& path.size() >= dir.size() + 2
|
&& string(path, 0, dir.size()) == dir
|
||||||
&& path[dir.size()] == '/';
|
&& path.size() >= dir.size() + 2
|
||||||
|
&& path[dir.size()] == '/');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue