From 7526b7ded6d5884cefcd4c71e0a33962d883ae78 Mon Sep 17 00:00:00 2001
From: Andrew Marshall <andrew@johnandrewmarshall.com>
Date: Mon, 18 Dec 2023 19:33:20 -0500
Subject: [PATCH] Allow access to /dev/stderr in Darwin sandbox

We allow /dev/stdout, so why not this? Since it is process-local,
anyway, should not be possible to escape sandbox using it.
---
 src/libstore/build/sandbox-defaults.sb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libstore/build/sandbox-defaults.sb b/src/libstore/build/sandbox-defaults.sb
index 77f013aea..25ec11285 100644
--- a/src/libstore/build/sandbox-defaults.sb
+++ b/src/libstore/build/sandbox-defaults.sb
@@ -68,6 +68,7 @@ R""(
 (allow file*
        (literal "/dev/null")
        (literal "/dev/random")
+       (literal "/dev/stderr")
        (literal "/dev/stdin")
        (literal "/dev/stdout")
        (literal "/dev/tty")