puck/lix
0
0
Fork 0
forked from lix-project/lix
Code Pull requests Activity
lix/src/libstore/sandbox-defaults.sb
Dan Peebles 4a4a009f78 Allow optional localhost network access to sandboxed derivations 
This will allow bind and connect to 127.0.0.1, which can reduce purity/
security (if you're running a vulnerable service on localhost) but is
also needed for a ton of test suites, so I'm leaving it turned off by
default but allowing certain derivations to turn it on as needed.

It also allows DNS resolution of arbitrary hostnames but I haven't found
a way to avoid that. In principle I'd just want to allow resolving
localhost but that doesn't seem to be possible.

I don't think this belongs under `build-use-sandbox = relaxed` because we
want it on Hydra and I don't think it's the end of the world.
2017-10-30 17:59:12 +01:00

81 lines
2.5 KiB
Plaintext
Raw Blame History

(define TMPDIR (param "_GLOBAL_TMP_DIR"))
(deny default)
; Disallow creating setuid/setgid binaries, since that
; would allow breaking build user isolation.
(deny file-write-setugid)
; Allow forking.
(allow process-fork)
; Allow reading system information like #CPUs, etc.
(allow sysctl-read)
; Allow POSIX semaphores and shared memory.
(allow ipc-posix*)
; Allow socket creation.
(allow system-socket)
; Allow sending signals within the sandbox.
(allow signal (target same-sandbox))
; Access to /tmp.
(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
; Some packages like to read the system version.
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
; Without this line clang cannot write to /dev/null, breaking some configure tests.
(allow file-read-metadata (literal "/dev"))
; Many packages like to do local networking in their test suites, but let's only
; allow it if the package explicitly asks for it.
(if (param "_ALLOW_LOCAL_NETWORKING")
(begin
(allow network* (local ip) (local tcp) (local udp))
; Allow access to /etc/resolv.conf (which is a symlink to
; /private/var/run/resolv.conf).
; TODO: deduplicate with sandbox-network.sb
(allow file-read-metadata
(literal "/var")
(literal "/etc")
(literal "/etc/resolv.conf")
(literal "/private/etc/resolv.conf"))
(allow file-read*
(literal "/private/var/run/resolv.conf"))
; Allow DNS lookups. This is even needed for localhost, which lots of tests rely on
(allow file-read-metadata (literal "/etc/hosts"))
(allow file-read* (literal "/private/etc/hosts"))
(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))))
; Standard devices.
(allow file*
(literal "/dev/null")
(literal "/dev/random")
(literal "/dev/stdin")
(literal "/dev/stdout")
(literal "/dev/tty")
(literal "/dev/urandom")
(literal "/dev/zero")
(subpath "/dev/fd"))
; Does nothing, but reduces build noise.
(allow file* (literal "/dev/dtracehelper"))
; Allow access to zoneinfo since libSystem needs it.
(allow file-read* (subpath "/usr/share/zoneinfo"))
(allow file-read* (subpath "/usr/share/locale"))
; This is mostly to get more specific log messages when builds try to
; access something in /etc or /var.
(allow file-read-metadata
(literal "/etc")
(literal "/var")
(literal "/private/var/tmp"))
View git blame Copy permalink