Darwin sandbox: Use sandbox-defaults.sb

Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
author: Eelco Dolstra <edolstra@gmail.com> 2017-05-30T15·40+0200
committer: Eelco Dolstra <edolstra@gmail.com> 2017-05-30T15·40+0200
commit: acc889c82179e96537ebe1494ec13b9536d579ca (patch)
tree: eeff56d8de6984cdbfe8dd661de9fb6d14c1d8a8 /src/libstore/build.cc
parent: 53a16441878ebd4a5ac6ef8a95a649bfd521da3d (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 46ce562f798e..92471b228d00 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
                 sandboxProfile += "(deny default (with no-log))\n";
             }
 
-            /* Disallow creating setuid/setgid binaries, since that
-               would allow breaking build user isolation. */
-            sandboxProfile += "(deny file-write-setugid)\n";
+            sandboxProfile +=
+#include "sandbox-defaults.sb.gen.hh"
+                ;
 
             /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
                to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
author	Eelco Dolstra <edolstra@gmail.com>	2017-05-30T15·40+0200
committer	Eelco Dolstra <edolstra@gmail.com>	2017-05-30T15·40+0200
commit	acc889c82179e96537ebe1494ec13b9536d579ca (patch)
tree	eeff56d8de6984cdbfe8dd661de9fb6d14c1d8a8 /src/libstore/build.cc
parent	53a16441878ebd4a5ac6ef8a95a649bfd521da3d (diff)