about summary refs log tree commit diff
path: root/src/libstore/sandbox-defaults.sb
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-06-06T16·44+0200
committerEelco Dolstra <edolstra@gmail.com>2017-06-06T16·44+0200
commit85e93d7b874f99730387714394bb60407cf138d5 (patch)
treea8b27c3200ce4d8dca85d9dc3f414bedb3c1d0bc /src/libstore/sandbox-defaults.sb
parentd3f780996c05d348bd44fe846520153d5c1ae31c (diff)
Always use the Darwin sandbox
Even with "build-use-sandbox = false", we now use sandboxing with a
permissive profile that allows everything except the creation of
setuid/setgid binaries.
Diffstat (limited to 'src/libstore/sandbox-defaults.sb')
-rw-r--r--src/libstore/sandbox-defaults.sb2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb
index 0292f5ee8825..d63c8f813c9e 100644
--- a/src/libstore/sandbox-defaults.sb
+++ b/src/libstore/sandbox-defaults.sb
@@ -1,5 +1,7 @@
 (define TMPDIR (param "_GLOBAL_TMP_DIR"))
 
+(deny default)
+
 ; Disallow creating setuid/setgid binaries, since that
 ; would allow breaking build user isolation.
 (deny file-write-setugid)
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-07-31T17·31+0000