make sandbox builds more permissive

2 files changed, 7 insertions, 6 deletions

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 983aba938765..b11b04638040 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -59,7 +59,7 @@
 /* chroot-like behavior from Apple's sandbox */
 #if __APPLE__
     #define SANDBOX_ENABLED 1
-    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
+    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/"
 #else
     #define SANDBOX_ENABLED 0
     #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin"
@@ -2451,7 +2451,7 @@ void DerivationGoal::runChild()
 
             sandboxProfile += "(allow file-read* file-write-data (literal \"/dev/null\"))\n";
 
-            sandboxProfile += "(allow ipc-posix-shm*)\n";
+            sandboxProfile += "(allow ipc-posix-shm* ipc-posix-sem)\n";
 
             sandboxProfile += "(allow mach-lookup\n"
                 "\t(global-name \"com.apple.SecurityServer\")\n"
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 11c75d2cda4c..178f78bde6da 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -167,10 +167,11 @@ string baseNameOf(const Path & path)
 
 bool isInDir(const Path & path, const Path & dir)
 {
-    return path[0] == '/'
-        && string(path, 0, dir.size()) == dir
-        && path.size() >= dir.size() + 2
-        && path[dir.size()] == '/';
+    return dir == "/"
+        || (path[0] == '/'
+            && string(path, 0, dir.size()) == dir
+            && path.size() >= dir.size() + 2
+            && path[dir.size()] == '/');
 }