diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libstore/sandbox-defaults.sb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb index cf700c62c6fb..b4e29c94381c 100644 --- a/src/libstore/sandbox-defaults.sb +++ b/src/libstore/sandbox-defaults.sb @@ -22,7 +22,14 @@ (allow signal (target same-sandbox)) ; Access to /tmp. -(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) +; The network-outbound/network-inbound ones are for unix domain sockets, which +; we allow access to in TMPDIR (but if we allow them more broadly, you could in +; theory escape the sandbox) +(allow file* process-exec network-outbound network-inbound + (literal "/tmp") (subpath TMPDIR)) + +; Always allow unix domain sockets, since they can't hurt purity or security + ; Some packages like to read the system version. (allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) |