about summary refs log tree commit diff
diff options
context:
space:
mode:
authorJude Taylor <me@jude.bio>2015-11-13T06·51-0800
committerJude Taylor <me@jude.bio>2015-11-14T22·11-0800
commit22dfd023fafc5951619072d3031e3198f9538e45 (patch)
treeecc0e2e13d89fcd7d11f28a9a1a73f09043ca2cf
parent8a7f0dfd68a785d254f7156c4b57c8809eb4bbbe (diff)
update sandbox profiles within nix
-rw-r--r--corepkgs/buildenv.nix18
-rw-r--r--release.nix5
2 files changed, 19 insertions, 4 deletions
diff --git a/corepkgs/buildenv.nix b/corepkgs/buildenv.nix
index b4946457f167..ab1ce13f2cf6 100644
--- a/corepkgs/buildenv.nix
+++ b/corepkgs/buildenv.nix
@@ -23,10 +23,20 @@ derivation {
   # network traffic, so don't do that.
   preferLocalBuild = true;
 
-  __impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [
-    "/usr/lib/libSystem.dylib"
-    "/usr/lib/system"
-  ] else null;
+  __sandboxProfile = ''
+    (allow sysctl-read)
+    (allow file-read*
+           (literal "/usr/lib/libSystem.dylib")
+           (literal "/usr/lib/libSystem.B.dylib")
+           (literal "/usr/lib/libobjc.A.dylib")
+           (literal "/usr/lib/libobjc.dylib")
+           (literal "/usr/lib/libauto.dylib")
+           (literal "/usr/lib/libc++abi.dylib")
+           (literal "/usr/lib/libc++.1.dylib")
+           (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
+           (subpath "/usr/lib/system")
+           (subpath "/dev"))
+  '';
 
   inherit chrootDeps;
 }
diff --git a/release.nix b/release.nix
index 4269a3f76d8c..cb391d0ffa61 100644
--- a/release.nix
+++ b/release.nix
@@ -97,6 +97,11 @@ let
 
         enableParallelBuilding = true;
 
+        __sandboxProfile = lib.sandbox.allowNetwork
+          + lib.sandbox.allowFileRead {
+            literal = [ "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" ];
+          };
+
         makeFlags = "profiledir=$(out)/etc/profile.d";
 
         preBuild = "unset NIX_INDENT_MAKE";