From bc6b3f7e8fa46c183e20a9f28a5e0a7a6a19429d Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Tue, 31 Oct 2017 13:16:51 +0100 Subject: [PATCH] Always allow builds to use unix domain sockets in Darwin sandbox --- src/libstore/sandbox-defaults.sb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb index cf700c62c..b4e29c943 100644 --- a/src/libstore/sandbox-defaults.sb +++ b/src/libstore/sandbox-defaults.sb @@ -22,7 +22,14 @@ (allow signal (target same-sandbox)) ; Access to /tmp. -(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) +; The network-outbound/network-inbound ones are for unix domain sockets, which +; we allow access to in TMPDIR (but if we allow them more broadly, you could in +; theory escape the sandbox) +(allow file* process-exec network-outbound network-inbound + (literal "/tmp") (subpath TMPDIR)) + +; Always allow unix domain sockets, since they can't hurt purity or security + ; Some packages like to read the system version. (allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))