diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2017-10-30T17·54+0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-30T17·54+0100 |
commit | 197922ea4e76ec9439d487e2d16411495a71df4e (patch) | |
tree | f6585def3243a7791997793c49a779e2329a5417 /src/libstore | |
parent | f90f660b243866b8860eeb24cc4a345d32cc7ce7 (diff) | |
parent | 4a4a009f78d7267d58a1dbd95f70f12ee3fe89f2 (diff) |
Merge pull request #1646 from copumpkin/optional-sandbox-local-network
Allow optional localhost network access to sandboxed derivations
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 12 | ||||
-rw-r--r-- | src/libstore/sandbox-defaults.sb | 26 |
2 files changed, 33 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 9f8edc826a04..061682377257 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2833,10 +2833,10 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } - sandboxProfile += "(import \"sandbox-defaults.sb\")"; + sandboxProfile += "(import \"sandbox-defaults.sb\")\n"; if (fixedOutput) - sandboxProfile += "(import \"sandbox-network.sb\")"; + sandboxProfile += "(import \"sandbox-network.sb\")\n"; /* Our rwx outputs */ sandboxProfile += "(allow file-read* file-write* process-exec\n"; @@ -2879,7 +2879,7 @@ void DerivationGoal::runChild() sandboxProfile += additionalSandboxProfile; } else - sandboxProfile += "(import \"sandbox-minimal.sb\")"; + sandboxProfile += "(import \"sandbox-minimal.sb\")\n"; debug("Generated sandbox profile:"); debug(sandboxProfile); @@ -2888,6 +2888,8 @@ void DerivationGoal::runChild() writeFile(sandboxFile, sandboxProfile); + bool allowLocalNetworking = get(drv->env, "__darwinAllowLocalNetworking") == "1"; + /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true); @@ -2903,6 +2905,10 @@ void DerivationGoal::runChild() args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back("-D"); args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/"); + if (allowLocalNetworking) { + args.push_back("-D"); + args.push_back(string("_ALLOW_LOCAL_NETWORKING=1")); + } args.push_back(drv->builder); } #endif diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb index d63c8f813c9e..cf700c62c6fb 100644 --- a/src/libstore/sandbox-defaults.sb +++ b/src/libstore/sandbox-defaults.sb @@ -30,6 +30,29 @@ ; Without this line clang cannot write to /dev/null, breaking some configure tests. (allow file-read-metadata (literal "/dev")) +; Many packages like to do local networking in their test suites, but let's only +; allow it if the package explicitly asks for it. +(if (param "_ALLOW_LOCAL_NETWORKING") + (begin + (allow network* (local ip) (local tcp) (local udp)) + + ; Allow access to /etc/resolv.conf (which is a symlink to + ; /private/var/run/resolv.conf). + ; TODO: deduplicate with sandbox-network.sb + (allow file-read-metadata + (literal "/var") + (literal "/etc") + (literal "/etc/resolv.conf") + (literal "/private/etc/resolv.conf")) + + (allow file-read* + (literal "/private/var/run/resolv.conf")) + + ; Allow DNS lookups. This is even needed for localhost, which lots of tests rely on + (allow file-read-metadata (literal "/etc/hosts")) + (allow file-read* (literal "/private/etc/hosts")) + (allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder"))))) + ; Standard devices. (allow file* (literal "/dev/null") @@ -54,5 +77,4 @@ (allow file-read-metadata (literal "/etc") (literal "/var") - (literal "/private/var/tmp") - ) + (literal "/private/var/tmp")) |