Merge pull request #1650 from copumpkin/darwin-sandbox-unix-socket
Always allow builds to use unix domain sockets in Darwin sandbox
This commit is contained in:
commit
513b143cd8
1 changed files with 8 additions and 1 deletions
|
@ -25,7 +25,14 @@
|
||||||
(allow mach-lookup (global-name "com.apple.system.opendirectoryd.libinfo"))
|
(allow mach-lookup (global-name "com.apple.system.opendirectoryd.libinfo"))
|
||||||
|
|
||||||
; Access to /tmp.
|
; Access to /tmp.
|
||||||
(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
|
; The network-outbound/network-inbound ones are for unix domain sockets, which
|
||||||
|
; we allow access to in TMPDIR (but if we allow them more broadly, you could in
|
||||||
|
; theory escape the sandbox)
|
||||||
|
(allow file* process-exec network-outbound network-inbound
|
||||||
|
(literal "/tmp") (subpath TMPDIR))
|
||||||
|
|
||||||
|
; Always allow unix domain sockets, since they can't hurt purity or security
|
||||||
|
|
||||||
|
|
||||||
; Some packages like to read the system version.
|
; Some packages like to read the system version.
|
||||||
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
|
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
|
||||||
|
|
Loading…
Reference in a new issue