about summary refs log tree commit diff
path: root/corepkgs
diff options
context:
space:
mode:
authorShea Levy <shea@shealevy.com>2015-11-19T22·44-0500
committerShea Levy <shea@shealevy.com>2015-11-19T22·44-0500
commit5deb7fbdfb9fd910be6be4bfcd139ebdac435242 (patch)
treeda8e56515ec79bf5d865b2775f8073fcebbbc818 /corepkgs
parent33f2fbcb62a4c47dd5c9c2fd987f5288b81dae61 (diff)
parent36f7fcc157de8d4f1b195f0e3cb7e384d4083c2a (diff)
Merge branch 'sandbox-profiles' of git://github.com/pikajude/nix
Temporarily allow derivations to describe their full sandbox profile.
This will be eventually scaled back to a more secure setup, see the
discussion at #695
Diffstat (limited to 'corepkgs')
-rw-r--r--corepkgs/buildenv.nix18
1 files changed, 14 insertions, 4 deletions
diff --git a/corepkgs/buildenv.nix b/corepkgs/buildenv.nix
index b4946457f167..ab1ce13f2cf6 100644
--- a/corepkgs/buildenv.nix
+++ b/corepkgs/buildenv.nix
@@ -23,10 +23,20 @@ derivation {
   # network traffic, so don't do that.
   preferLocalBuild = true;
 
-  __impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [
-    "/usr/lib/libSystem.dylib"
-    "/usr/lib/system"
-  ] else null;
+  __sandboxProfile = ''
+    (allow sysctl-read)
+    (allow file-read*
+           (literal "/usr/lib/libSystem.dylib")
+           (literal "/usr/lib/libSystem.B.dylib")
+           (literal "/usr/lib/libobjc.A.dylib")
+           (literal "/usr/lib/libobjc.dylib")
+           (literal "/usr/lib/libauto.dylib")
+           (literal "/usr/lib/libc++abi.dylib")
+           (literal "/usr/lib/libc++.1.dylib")
+           (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
+           (subpath "/usr/lib/system")
+           (subpath "/dev"))
+  '';
 
   inherit chrootDeps;
 }