Merge pull request #1650 from copumpkin/darwin-sandbox-unix-socket

Always allow builds to use unix domain sockets in Darwin sandbox
This commit is contained in:
Eelco Dolstra 2017-11-08 16:16:42 +01:00 committed by GitHub
commit 513b143cd8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -25,7 +25,14 @@
(allow mach-lookup (global-name "com.apple.system.opendirectoryd.libinfo")) (allow mach-lookup (global-name "com.apple.system.opendirectoryd.libinfo"))
; Access to /tmp. ; Access to /tmp.
(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) ; The network-outbound/network-inbound ones are for unix domain sockets, which
; we allow access to in TMPDIR (but if we allow them more broadly, you could in
; theory escape the sandbox)
(allow file* process-exec network-outbound network-inbound
(literal "/tmp") (subpath TMPDIR))
; Always allow unix domain sockets, since they can't hurt purity or security
; Some packages like to read the system version. ; Some packages like to read the system version.
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) (allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))