From acc889c82179e96537ebe1494ec13b9536d579ca Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 30 May 2017 17:40:12 +0200
Subject: Darwin sandbox: Use sandbox-defaults.sb

Issue #759.

Also, remove nix.conf from the sandbox since I don't really see a
legitimate reason for builders to access the Nix configuration.
---
 src/libstore/build.cc               |  6 ++--
 src/libstore/local-store.cc         |  2 +-
 src/libstore/local.mk               | 14 ++++++---
 src/libstore/sandbox-defaults.sb    | 62 ++++++++++++++++++++++++++++++++++++
 src/libstore/sandbox-defaults.sb.in | 63 -------------------------------------
 5 files changed, 75 insertions(+), 72 deletions(-)
 create mode 100644 src/libstore/sandbox-defaults.sb
 delete mode 100644 src/libstore/sandbox-defaults.sb.in

(limited to 'src')

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 46ce562f798e..92471b228d00 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
                 sandboxProfile += "(deny default (with no-log))\n";
             }
 
-            /* Disallow creating setuid/setgid binaries, since that
-               would allow breaking build user isolation. */
-            sandboxProfile += "(deny file-write-setugid)\n";
+            sandboxProfile +=
+#include "sandbox-defaults.sb.gen.hh"
+                ;
 
             /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
                to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 5b03e86f3eaa..a226e0110af1 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create)
     /* Initialise the database schema, if necessary. */
     if (create) {
         const char * schema =
-#include "schema.sql.hh"
+#include "schema.sql.gen.hh"
             ;
         db.exec(schema);
     }
diff --git a/src/libstore/local.mk b/src/libstore/local.mk
index ffdb55abc65b..7bc69f65d800 100644
--- a/src/libstore/local.mk
+++ b/src/libstore/local.mk
@@ -34,12 +34,16 @@ libstore_CXXFLAGS = \
  -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
  -DLSOF=\"$(lsof)\"
 
-$(d)/local-store.cc: $(d)/schema.sql.hh
+$(d)/local-store.cc: $(d)/schema.sql.gen.hh
 
-%.sql.hh: %.sql
-	$(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1)
+$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh
 
-clean-files += $(d)/schema.sql.hh
+%.gen.hh: %
+	echo 'R"foo(' >> $@.tmp
+	cat $< >> $@.tmp
+	echo ')foo"' >> $@.tmp
+	mv $@.tmp $@
+
+clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh
 
 $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))
-$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644))
diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb
new file mode 100644
index 000000000000..6bd15603e796
--- /dev/null
+++ b/src/libstore/sandbox-defaults.sb
@@ -0,0 +1,62 @@
+(allow file-read* file-write-data (literal "/dev/null"))
+(allow ipc-posix*)
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
+(allow file-read*
+       (literal "/dev/dtracehelper")
+       (literal "/dev/tty")
+       (literal "/dev/autofs_nowait")
+       (literal "/System/Library/CoreServices/SystemVersion.plist")
+       (literal "/private/var/run/systemkeychaincheck.done")
+       (literal "/private/etc/protocols")
+       (literal "/private/var/tmp")
+       (literal "/private/var/db")
+       (subpath "/private/var/db/mds"))
+
+(allow file-read*
+       (subpath "/usr/share/icu")
+       (subpath "/usr/share/locale")
+       (subpath "/usr/share/zoneinfo"))
+
+(allow file-write*
+       (literal "/dev/tty")
+       (literal "/dev/dtracehelper")
+       (literal "/mds"))
+
+(allow file-ioctl (literal "/dev/dtracehelper"))
+
+(allow file-read-metadata
+       (literal "/var")
+       (literal "/tmp")
+       (literal "/etc/resolv.conf")
+       (literal "/private/etc/resolv.conf"))
+
+(allow file-read*
+       (literal "/private/var/run/resolv.conf"))
+
+; some builders use filehandles other than stdin/stdout
+(allow file*
+        (subpath "/dev/fd")
+        (literal "/dev/ptmx")
+        (regex #"^/dev/[pt]ty.*$"))
+
+; allow everything inside TMP
+(allow file* process-exec
+       (subpath (param "_GLOBAL_TMP_DIR"))
+       (subpath "/private/tmp"))
+
+(allow process-fork)
+(allow sysctl-read)
+(allow signal (target same-sandbox))
+
+; allow getpwuid (for git and other packages)
+(allow mach-lookup
+       (global-name "com.apple.system.notification_center")
+       (global-name "com.apple.system.opendirectoryd.libinfo"))
+
+; allow local networking
+(allow network* (local ip) (remote unix-socket))
+
+; Disallow creating setuid/setgid binaries, since that
+; would allow breaking build user isolation.
+(deny file-write-setugid)
diff --git a/src/libstore/sandbox-defaults.sb.in b/src/libstore/sandbox-defaults.sb.in
deleted file mode 100644
index b5e80085fbe2..000000000000
--- a/src/libstore/sandbox-defaults.sb.in
+++ /dev/null
@@ -1,63 +0,0 @@
-(allow file-read* file-write-data (literal "/dev/null"))
-(allow ipc-posix*)
-(allow mach-lookup (global-name "com.apple.SecurityServer"))
-
-(allow file-read*
-       (literal "/dev/dtracehelper")
-       (literal "/dev/tty")
-       (literal "/dev/autofs_nowait")
-       (literal "/System/Library/CoreServices/SystemVersion.plist")
-       (literal "/private/var/run/systemkeychaincheck.done")
-       (literal "/private/etc/protocols")
-       (literal "/private/var/tmp")
-       (literal "/private/var/db")
-       (subpath "/private/var/db/mds"))
-
-(allow file-read*
-       (subpath "/usr/share/icu")
-       (subpath "/usr/share/locale")
-       (subpath "/usr/share/zoneinfo"))
-
-(allow file-write*
-       (literal "/dev/tty")
-       (literal "/dev/dtracehelper")
-       (literal "/mds"))
-
-(allow file-ioctl (literal "/dev/dtracehelper"))
-
-(allow file-read-metadata
-       (literal "/var")
-       (literal "/tmp")
-       ; symlinks
-       (literal "@sysconfdir@")
-       (literal "@sysconfdir@/nix")
-       (literal "@sysconfdir@/nix/nix.conf")
-       (literal "/etc/resolv.conf")
-       (literal "/private/etc/resolv.conf"))
-
-(allow file-read*
-       (literal "/private@sysconfdir@/nix/nix.conf")
-       (literal "/private/var/run/resolv.conf"))
-
-; some builders use filehandles other than stdin/stdout
-(allow file*
-        (subpath "/dev/fd")
-        (literal "/dev/ptmx")
-        (regex #"^/dev/[pt]ty.*$"))
-
-; allow everything inside TMP
-(allow file* process-exec
-       (subpath (param "_GLOBAL_TMP_DIR"))
-       (subpath "/private/tmp"))
-
-(allow process-fork)
-(allow sysctl-read)
-(allow signal (target same-sandbox))
-
-; allow getpwuid (for git and other packages)
-(allow mach-lookup
-       (global-name "com.apple.system.notification_center")
-       (global-name "com.apple.system.opendirectoryd.libinfo"))
-
-; allow local networking
-(allow network* (local ip) (remote unix-socket))
-- 
cgit 1.4.1