From acc889c82179e96537ebe1494ec13b9536d579ca Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 30 May 2017 17:40:12 +0200
Subject: Darwin sandbox: Use sandbox-defaults.sb

Issue #759.

Also, remove nix.conf from the sandbox since I don't really see a
legitimate reason for builders to access the Nix configuration.
---
 src/libstore/build.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/libstore/build.cc')

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 46ce562f798e..92471b228d00 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
                 sandboxProfile += "(deny default (with no-log))\n";
             }
 
-            /* Disallow creating setuid/setgid binaries, since that
-               would allow breaking build user isolation. */
-            sandboxProfile += "(deny file-write-setugid)\n";
+            sandboxProfile +=
+#include "sandbox-defaults.sb.gen.hh"
+                ;
 
             /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
                to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
-- 
cgit 1.4.1