update sandbox profiles within nix

2015-11-12 22:51:52 -08:00 · 2015-11-12 22:51:52 -08:00 · 22dfd023fa
parent 8a7f0dfd68
commit 22dfd023fa
2 changed files with 19 additions and 4 deletions
--- a/corepkgs/buildenv.nix
+++ b/corepkgs/buildenv.nix
@ -23,10 +23,20 @@ derivation {
  # network traffic, so don't do that.
  preferLocalBuild = true;
-  __impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [
+  __sandboxProfile = ''
-    "/usr/lib/libSystem.dylib"
+    (allow sysctl-read)
-    "/usr/lib/system"
+    (allow file-read*
-  ] else null;
+           (literal "/usr/lib/libSystem.dylib")
           (literal "/usr/lib/libSystem.B.dylib")
           (literal "/usr/lib/libobjc.A.dylib")
           (literal "/usr/lib/libobjc.dylib")
           (literal "/usr/lib/libauto.dylib")
           (literal "/usr/lib/libc++abi.dylib")
           (literal "/usr/lib/libc++.1.dylib")
           (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
           (subpath "/usr/lib/system")
           (subpath "/dev"))
  '';
  inherit chrootDeps;
 }
--- a/release.nix
+++ b/release.nix
@ -97,6 +97,11 @@ let
        enableParallelBuilding = true;
        __sandboxProfile = lib.sandbox.allowNetwork
          + lib.sandbox.allowFileRead {
            literal = [ "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" ];
          };
        makeFlags = "profiledir=$(out)/etc/profile.d";
        preBuild = "unset NIX_INDENT_MAKE";