diff options
author | Shea Levy <shea@shealevy.com> | 2015-11-19T22·44-0500 |
---|---|---|
committer | Shea Levy <shea@shealevy.com> | 2015-11-19T22·44-0500 |
commit | 5deb7fbdfb9fd910be6be4bfcd139ebdac435242 (patch) | |
tree | da8e56515ec79bf5d865b2775f8073fcebbbc818 /src/libstore/sandbox-defaults.sb.in | |
parent | 33f2fbcb62a4c47dd5c9c2fd987f5288b81dae61 (diff) | |
parent | 36f7fcc157de8d4f1b195f0e3cb7e384d4083c2a (diff) |
Merge branch 'sandbox-profiles' of git://github.com/pikajude/nix
Temporarily allow derivations to describe their full sandbox profile. This will be eventually scaled back to a more secure setup, see the discussion at #695
Diffstat (limited to 'src/libstore/sandbox-defaults.sb.in')
-rw-r--r-- | src/libstore/sandbox-defaults.sb.in | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/src/libstore/sandbox-defaults.sb.in b/src/libstore/sandbox-defaults.sb.in deleted file mode 100644 index b5e80085fbe2..000000000000 --- a/src/libstore/sandbox-defaults.sb.in +++ /dev/null @@ -1,63 +0,0 @@ -(allow file-read* file-write-data (literal "/dev/null")) -(allow ipc-posix*) -(allow mach-lookup (global-name "com.apple.SecurityServer")) - -(allow file-read* - (literal "/dev/dtracehelper") - (literal "/dev/tty") - (literal "/dev/autofs_nowait") - (literal "/System/Library/CoreServices/SystemVersion.plist") - (literal "/private/var/run/systemkeychaincheck.done") - (literal "/private/etc/protocols") - (literal "/private/var/tmp") - (literal "/private/var/db") - (subpath "/private/var/db/mds")) - -(allow file-read* - (subpath "/usr/share/icu") - (subpath "/usr/share/locale") - (subpath "/usr/share/zoneinfo")) - -(allow file-write* - (literal "/dev/tty") - (literal "/dev/dtracehelper") - (literal "/mds")) - -(allow file-ioctl (literal "/dev/dtracehelper")) - -(allow file-read-metadata - (literal "/var") - (literal "/tmp") - ; symlinks - (literal "@sysconfdir@") - (literal "@sysconfdir@/nix") - (literal "@sysconfdir@/nix/nix.conf") - (literal "/etc/resolv.conf") - (literal "/private/etc/resolv.conf")) - -(allow file-read* - (literal "/private@sysconfdir@/nix/nix.conf") - (literal "/private/var/run/resolv.conf")) - -; some builders use filehandles other than stdin/stdout -(allow file* - (subpath "/dev/fd") - (literal "/dev/ptmx") - (regex #"^/dev/[pt]ty.*$")) - -; allow everything inside TMP -(allow file* process-exec - (subpath (param "_GLOBAL_TMP_DIR")) - (subpath "/private/tmp")) - -(allow process-fork) -(allow sysctl-read) -(allow signal (target same-sandbox)) - -; allow getpwuid (for git and other packages) -(allow mach-lookup - (global-name "com.apple.system.notification_center") - (global-name "com.apple.system.opendirectoryd.libinfo")) - -; allow local networking -(allow network* (local ip) (remote unix-socket)) |