Always use the Darwin sandbox

Even with "build-use-sandbox = false", we now use sandboxing with a
permissive profile that allows everything except the creation of
setuid/setgid binaries.

1 files changed, 5 insertions, 0 deletions

diff --git a/src/libstore/sandbox-minimal.sb b/src/libstore/sandbox-minimal.sb
new file mode 100644
index 000000000000..65f5108b3990
--- /dev/null
+++ b/src/libstore/sandbox-minimal.sb
@@ -0,0 +1,5 @@
+(allow default)
+
+; Disallow creating setuid/setgid binaries, since that
+; would allow breaking build user isolation.
+(deny file-write-setugid)