diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30T15·16+0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30T15·17+0200 |
commit | 53a16441878ebd4a5ac6ef8a95a649bfd521da3d (patch) | |
tree | 81b2a901795a8c0b99545772ba0b9224612b535f | |
parent | 83eec5a997cd121158b7adb32a688dc5a63d6c9c (diff) |
Darwin sandbox: Disallow creating setuid/setgid binaries
Suggested by Daiderd Jordan.
-rw-r--r-- | src/libstore/build.cc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 86cab9f35b6f..46ce562f798e 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2656,6 +2656,10 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } + /* Disallow creating setuid/setgid binaries, since that + would allow breaking build user isolation. */ + sandboxProfile += "(deny file-write-setugid)\n"; + /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true); |