nix-super

16548 commits 7 branches 0 tags 64 MiB

Author	SHA1	Message	Date
Simon Žlender	d60c3f7f7c	Fix __darwinAllowLocalNetworking sandbox The sandbox rule `(allow network* (local ip))` doesn't do what it implies. Adding this rule permits all network traffic. We should be matching on (remote ip "localhost:*")` instead.	2024-02-25 23:00:57 +01:00
Andrew Marshall	7526b7ded6	Allow access to /dev/stderr in Darwin sandbox We allow /dev/stdout, so why not this? Since it is process-local, anyway, should not be possible to escape sandbox using it.	2023-12-18 19:33:20 -05:00
Eelco Dolstra	6991e558dd	Move macOS sandbox files to sr/libstore/build	2023-01-04 04:50:45 -08:00

Author

SHA1

Message

Date

Simon Žlender

d60c3f7f7c

Fix __darwinAllowLocalNetworking sandbox

The sandbox rule `(allow network* (local ip))` doesn't do what it
implies. Adding this rule permits all network traffic. We should be
matching on (remote ip "localhost:*")` instead.

2024-02-25 23:00:57 +01:00

Andrew Marshall

7526b7ded6

Allow access to /dev/stderr in Darwin sandbox

We allow /dev/stdout, so why not this? Since it is process-local,
anyway, should not be possible to escape sandbox using it.

2023-12-18 19:33:20 -05:00

Eelco Dolstra

6991e558dd

Move macOS sandbox files to sr/libstore/build

2023-01-04 04:50:45 -08:00

Renamed from src/libstore/sandbox-defaults.sb (Browse further)

3 commits