From c96e8cd097ce0d181467fddd92acad4341ca566a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 31 May 2017 17:23:27 +0200 Subject: OS X sandbox: Improve builtin sandbox profile Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic. --- src/libstore/sandbox-defaults.sb | 94 +++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 50 deletions(-) (limited to 'src/libstore/sandbox-defaults.sb') diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb index 6bd15603e7..0292f5ee88 100644 --- a/src/libstore/sandbox-defaults.sb +++ b/src/libstore/sandbox-defaults.sb @@ -1,62 +1,56 @@ -(allow file-read* file-write-data (literal "/dev/null")) -(allow ipc-posix*) -(allow mach-lookup (global-name "com.apple.SecurityServer")) +(define TMPDIR (param "_GLOBAL_TMP_DIR")) -(allow file-read* - (literal "/dev/dtracehelper") - (literal "/dev/tty") - (literal "/dev/autofs_nowait") - (literal "/System/Library/CoreServices/SystemVersion.plist") - (literal "/private/var/run/systemkeychaincheck.done") - (literal "/private/etc/protocols") - (literal "/private/var/tmp") - (literal "/private/var/db") - (subpath "/private/var/db/mds")) +; Disallow creating setuid/setgid binaries, since that +; would allow breaking build user isolation. +(deny file-write-setugid) -(allow file-read* - (subpath "/usr/share/icu") - (subpath "/usr/share/locale") - (subpath "/usr/share/zoneinfo")) +; Allow forking. +(allow process-fork) -(allow file-write* - (literal "/dev/tty") - (literal "/dev/dtracehelper") - (literal "/mds")) +; Allow reading system information like #CPUs, etc. +(allow sysctl-read) -(allow file-ioctl (literal "/dev/dtracehelper")) +; Allow POSIX semaphores and shared memory. +(allow ipc-posix*) -(allow file-read-metadata - (literal "/var") - (literal "/tmp") - (literal "/etc/resolv.conf") - (literal "/private/etc/resolv.conf")) +; Allow socket creation. +(allow system-socket) -(allow file-read* - (literal "/private/var/run/resolv.conf")) +; Allow sending signals within the sandbox. +(allow signal (target same-sandbox)) -; some builders use filehandles other than stdin/stdout -(allow file* - (subpath "/dev/fd") - (literal "/dev/ptmx") - (regex #"^/dev/[pt]ty.*$")) +; Access to /tmp. +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) -; allow everything inside TMP -(allow file* process-exec - (subpath (param "_GLOBAL_TMP_DIR")) - (subpath "/private/tmp")) +; Some packages like to read the system version. +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) -(allow process-fork) -(allow sysctl-read) -(allow signal (target same-sandbox)) +; Without this line clang cannot write to /dev/null, breaking some configure tests. +(allow file-read-metadata (literal "/dev")) -; allow getpwuid (for git and other packages) -(allow mach-lookup - (global-name "com.apple.system.notification_center") - (global-name "com.apple.system.opendirectoryd.libinfo")) +; Standard devices. +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) -; allow local networking -(allow network* (local ip) (remote unix-socket)) +; Does nothing, but reduces build noise. +(allow file* (literal "/dev/dtracehelper")) -; Disallow creating setuid/setgid binaries, since that -; would allow breaking build user isolation. -(deny file-write-setugid) +; Allow access to zoneinfo since libSystem needs it. +(allow file-read* (subpath "/usr/share/zoneinfo")) + +(allow file-read* (subpath "/usr/share/locale")) + +; This is mostly to get more specific log messages when builds try to +; access something in /etc or /var. +(allow file-read-metadata + (literal "/etc") + (literal "/var") + (literal "/private/var/tmp") + ) -- cgit 1.4.1