diff options
author | Shea Levy <shea@shealevy.com> | 2015-11-19T22·44-0500 |
---|---|---|
committer | Shea Levy <shea@shealevy.com> | 2015-11-19T22·44-0500 |
commit | 5deb7fbdfb9fd910be6be4bfcd139ebdac435242 (patch) | |
tree | da8e56515ec79bf5d865b2775f8073fcebbbc818 /corepkgs | |
parent | 33f2fbcb62a4c47dd5c9c2fd987f5288b81dae61 (diff) | |
parent | 36f7fcc157de8d4f1b195f0e3cb7e384d4083c2a (diff) |
Merge branch 'sandbox-profiles' of git://github.com/pikajude/nix
Temporarily allow derivations to describe their full sandbox profile. This will be eventually scaled back to a more secure setup, see the discussion at #695
Diffstat (limited to 'corepkgs')
-rw-r--r-- | corepkgs/buildenv.nix | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/corepkgs/buildenv.nix b/corepkgs/buildenv.nix index b4946457f167..ab1ce13f2cf6 100644 --- a/corepkgs/buildenv.nix +++ b/corepkgs/buildenv.nix @@ -23,10 +23,20 @@ derivation { # network traffic, so don't do that. preferLocalBuild = true; - __impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [ - "/usr/lib/libSystem.dylib" - "/usr/lib/system" - ] else null; + __sandboxProfile = '' + (allow sysctl-read) + (allow file-read* + (literal "/usr/lib/libSystem.dylib") + (literal "/usr/lib/libSystem.B.dylib") + (literal "/usr/lib/libobjc.A.dylib") + (literal "/usr/lib/libobjc.dylib") + (literal "/usr/lib/libauto.dylib") + (literal "/usr/lib/libc++abi.dylib") + (literal "/usr/lib/libc++.1.dylib") + (literal "/usr/lib/libDiagnosticMessagesClient.dylib") + (subpath "/usr/lib/system") + (subpath "/dev")) + ''; inherit chrootDeps; } |