Darwin sandbox: Use sandbox-defaults.sb

Issue #759.

Also, remove nix.conf from the sandbox since I don't really see a
legitimate reason for builders to access the Nix configuration.
This commit is contained in:
Eelco Dolstra 2017-05-30 17:40:12 +02:00
parent 53a1644187
commit acc889c821
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
5 changed files with 19 additions and 16 deletions

4
.gitignore vendored
View file

@ -48,8 +48,8 @@ perl/Makefile.config
/src/libexpr/nix.tbl /src/libexpr/nix.tbl
# /src/libstore/ # /src/libstore/
/src/libstore/schema.sql.hh /src/libstore/schema.sql.gen.hh
/src/libstore/sandbox-defaults.sb /src/libstore/sandbox-defaults.sb.gen.hh
/src/nix/nix /src/nix/nix

View file

@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
sandboxProfile += "(deny default (with no-log))\n"; sandboxProfile += "(deny default (with no-log))\n";
} }
/* Disallow creating setuid/setgid binaries, since that sandboxProfile +=
would allow breaking build user isolation. */ #include "sandbox-defaults.sb.gen.hh"
sandboxProfile += "(deny file-write-setugid)\n"; ;
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */

View file

@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create)
/* Initialise the database schema, if necessary. */ /* Initialise the database schema, if necessary. */
if (create) { if (create) {
const char * schema = const char * schema =
#include "schema.sql.hh" #include "schema.sql.gen.hh"
; ;
db.exec(schema); db.exec(schema);
} }

View file

@ -34,12 +34,16 @@ libstore_CXXFLAGS = \
-DSANDBOX_SHELL="\"$(sandbox_shell)\"" \ -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
-DLSOF=\"$(lsof)\" -DLSOF=\"$(lsof)\"
$(d)/local-store.cc: $(d)/schema.sql.hh $(d)/local-store.cc: $(d)/schema.sql.gen.hh
%.sql.hh: %.sql $(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh
$(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1)
clean-files += $(d)/schema.sql.hh %.gen.hh: %
echo 'R"foo(' >> $@.tmp
cat $< >> $@.tmp
echo ')foo"' >> $@.tmp
mv $@.tmp $@
clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh
$(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))
$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644))

View file

@ -28,15 +28,10 @@
(allow file-read-metadata (allow file-read-metadata
(literal "/var") (literal "/var")
(literal "/tmp") (literal "/tmp")
; symlinks
(literal "@sysconfdir@")
(literal "@sysconfdir@/nix")
(literal "@sysconfdir@/nix/nix.conf")
(literal "/etc/resolv.conf") (literal "/etc/resolv.conf")
(literal "/private/etc/resolv.conf")) (literal "/private/etc/resolv.conf"))
(allow file-read* (allow file-read*
(literal "/private@sysconfdir@/nix/nix.conf")
(literal "/private/var/run/resolv.conf")) (literal "/private/var/run/resolv.conf"))
; some builders use filehandles other than stdin/stdout ; some builders use filehandles other than stdin/stdout
@ -61,3 +56,7 @@
; allow local networking ; allow local networking
(allow network* (local ip) (remote unix-socket)) (allow network* (local ip) (remote unix-socket))
; Disallow creating setuid/setgid binaries, since that
; would allow breaking build user isolation.
(deny file-write-setugid)