From c96e8cd097ce0d181467fddd92acad4341ca566a Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 31 May 2017 17:23:27 +0200
Subject: OS X sandbox: Improve builtin sandbox profile

Also, add rules to allow fixed-output derivations to access the
network.

These rules are sufficient to build stdenvDarwin without any
__sandboxProfile magic.
---
 src/libstore/sandbox-network.sb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 src/libstore/sandbox-network.sb

(limited to 'src/libstore/sandbox-network.sb')

diff --git a/src/libstore/sandbox-network.sb b/src/libstore/sandbox-network.sb
new file mode 100644
index 0000000000..56beec761f
--- /dev/null
+++ b/src/libstore/sandbox-network.sb
@@ -0,0 +1,16 @@
+; Allow local and remote network traffic.
+(allow network* (local ip) (remote ip))
+
+; Allow access to /etc/resolv.conf (which is a symlink to
+; /private/var/run/resolv.conf).
+(allow file-read-metadata
+       (literal "/var")
+       (literal "/etc")
+       (literal "/etc/resolv.conf")
+       (literal "/private/etc/resolv.conf"))
+
+(allow file-read*
+       (literal "/private/var/run/resolv.conf"))
+
+; Allow DNS lookups.
+(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
-- 
cgit 1.4.1