From 85e93d7b874f99730387714394bb60407cf138d5 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 6 Jun 2017 18:44:49 +0200
Subject: Always use the Darwin sandbox

Even with "build-use-sandbox = false", we now use sandboxing with a
permissive profile that allows everything except the creation of
setuid/setgid binaries.
---
 src/libstore/sandbox-minimal.sb | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 src/libstore/sandbox-minimal.sb

(limited to 'src/libstore/sandbox-minimal.sb')

diff --git a/src/libstore/sandbox-minimal.sb b/src/libstore/sandbox-minimal.sb
new file mode 100644
index 000000000000..65f5108b3990
--- /dev/null
+++ b/src/libstore/sandbox-minimal.sb
@@ -0,0 +1,5 @@
+(allow default)
+
+; Disallow creating setuid/setgid binaries, since that
+; would allow breaking build user isolation.
+(deny file-write-setugid)
-- 
cgit 1.4.1