diff options
| author | Jude Taylor <me@jude.bio> | 2015-09-29T16·03-0700 |
|---|---|---|
| committer | Jude Taylor <me@jude.bio> | 2015-10-21T19·38-0700 |
| commit | e770f941d612922a19fae0dd7552a47a64751c42 (patch) | |
| tree | 6c0370484f15e38683822279b4849f50094e67a0 /src/libstore/build.cc | |
| parent | 6dbc9e02ecc649f6739dac3a87381223e96f5e75 (diff) | |
make sandbox builds more permissive
Diffstat (limited to 'src/libstore/build.cc')
| -rw-r--r-- | src/libstore/build.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 983aba938765..b11b04638040 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -59,7 +59,7 @@ /* chroot-like behavior from Apple's sandbox */ #if __APPLE__ #define SANDBOX_ENABLED 1 - #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh" + #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/" #else #define SANDBOX_ENABLED 0 #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin" @@ -2451,7 +2451,7 @@ void DerivationGoal::runChild() sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n"; - sandboxProfile += "(allow ipc-posix-shm*)\n"; + sandboxProfile += "(allow ipc-posix-shm* ipc-posix-sem)\n"; sandboxProfile += "(allow mach-lookup\n" "\t(global-name \"com.apple.SecurityServer\")\n" |