forked from lix-project/lix
Include macOS sandbox files in the Nix binary
This basically reverts 6e5165b773
.
It fixes errors like
sandbox-exec: <internal init prelude>:292:47: unable to open sandbox-minimal.sb: not found
when trying to run a development Nix installed in a user's home
directory.
Also, we're trying to minimize the number of installed files
to make it possible to deploy Nix as a single statically-linked
binary.
This commit is contained in:
parent
d4d1ca8b11
commit
609a7dc059
5 changed files with 21 additions and 9 deletions
|
@ -2050,10 +2050,14 @@ void LocalDerivationGoal::runChild()
|
||||||
sandboxProfile += "(deny default (with no-log))\n";
|
sandboxProfile += "(deny default (with no-log))\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
|
sandboxProfile +=
|
||||||
|
#include "sandbox-defaults.sb"
|
||||||
|
;
|
||||||
|
|
||||||
if (!derivationType.isSandboxed())
|
if (!derivationType.isSandboxed())
|
||||||
sandboxProfile += "(import \"sandbox-network.sb\")\n";
|
sandboxProfile +=
|
||||||
|
#include "sandbox-network.sb"
|
||||||
|
;
|
||||||
|
|
||||||
/* Add the output paths we'll use at build-time to the chroot */
|
/* Add the output paths we'll use at build-time to the chroot */
|
||||||
sandboxProfile += "(allow file-read* file-write* process-exec\n";
|
sandboxProfile += "(allow file-read* file-write* process-exec\n";
|
||||||
|
@ -2096,7 +2100,9 @@ void LocalDerivationGoal::runChild()
|
||||||
|
|
||||||
sandboxProfile += additionalSandboxProfile;
|
sandboxProfile += additionalSandboxProfile;
|
||||||
} else
|
} else
|
||||||
sandboxProfile += "(import \"sandbox-minimal.sb\")\n";
|
sandboxProfile +=
|
||||||
|
#include "sandbox-minimal.sb"
|
||||||
|
;
|
||||||
|
|
||||||
debug("Generated sandbox profile:");
|
debug("Generated sandbox profile:");
|
||||||
debug(sandboxProfile);
|
debug(sandboxProfile);
|
||||||
|
@ -2121,8 +2127,6 @@ void LocalDerivationGoal::runChild()
|
||||||
args.push_back(sandboxFile);
|
args.push_back(sandboxFile);
|
||||||
args.push_back("-D");
|
args.push_back("-D");
|
||||||
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
|
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
|
||||||
args.push_back("-D");
|
|
||||||
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
|
|
||||||
if (allowLocalNetworking) {
|
if (allowLocalNetworking) {
|
||||||
args.push_back("-D");
|
args.push_back("-D");
|
||||||
args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
|
args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
|
||||||
|
|
|
@ -13,10 +13,6 @@ ifdef HOST_LINUX
|
||||||
libstore_LDFLAGS += -ldl
|
libstore_LDFLAGS += -ldl
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifdef HOST_DARWIN
|
|
||||||
libstore_FILES = sandbox-defaults.sb sandbox-minimal.sb sandbox-network.sb
|
|
||||||
endif
|
|
||||||
|
|
||||||
$(foreach file,$(libstore_FILES),$(eval $(call install-data-in,$(d)/$(file),$(datadir)/nix/sandbox)))
|
$(foreach file,$(libstore_FILES),$(eval $(call install-data-in,$(d)/$(file),$(datadir)/nix/sandbox)))
|
||||||
|
|
||||||
ifeq ($(ENABLE_S3), 1)
|
ifeq ($(ENABLE_S3), 1)
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
R""(
|
||||||
|
|
||||||
(define TMPDIR (param "_GLOBAL_TMP_DIR"))
|
(define TMPDIR (param "_GLOBAL_TMP_DIR"))
|
||||||
|
|
||||||
(deny default)
|
(deny default)
|
||||||
|
@ -104,3 +106,5 @@
|
||||||
(subpath "/System/Library/Apple/usr/libexec/oah")
|
(subpath "/System/Library/Apple/usr/libexec/oah")
|
||||||
(subpath "/System/Library/LaunchDaemons/com.apple.oahd.plist")
|
(subpath "/System/Library/LaunchDaemons/com.apple.oahd.plist")
|
||||||
(subpath "/Library/Apple/System/Library/LaunchDaemons/com.apple.oahd.plist"))
|
(subpath "/Library/Apple/System/Library/LaunchDaemons/com.apple.oahd.plist"))
|
||||||
|
|
||||||
|
)""
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
|
R""(
|
||||||
|
|
||||||
(allow default)
|
(allow default)
|
||||||
|
|
||||||
; Disallow creating setuid/setgid binaries, since that
|
; Disallow creating setuid/setgid binaries, since that
|
||||||
; would allow breaking build user isolation.
|
; would allow breaking build user isolation.
|
||||||
(deny file-write-setugid)
|
(deny file-write-setugid)
|
||||||
|
|
||||||
|
)""
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
R""(
|
||||||
|
|
||||||
; Allow local and remote network traffic.
|
; Allow local and remote network traffic.
|
||||||
(allow network* (local ip) (remote ip))
|
(allow network* (local ip) (remote ip))
|
||||||
|
|
||||||
|
@ -18,3 +20,5 @@
|
||||||
; Allow access to trustd.
|
; Allow access to trustd.
|
||||||
(allow mach-lookup (global-name "com.apple.trustd"))
|
(allow mach-lookup (global-name "com.apple.trustd"))
|
||||||
(allow mach-lookup (global-name "com.apple.trustd.agent"))
|
(allow mach-lookup (global-name "com.apple.trustd.agent"))
|
||||||
|
|
||||||
|
)""
|
||||||
|
|
Loading…
Reference in a new issue