From cf6fd918046f5281409c028126f5a02ec0bbefa4 Mon Sep 17 00:00:00 2001 From: Lily Ballard Date: Thu, 26 Sep 2019 12:17:06 -0700 Subject: [PATCH] macvim: Add sandboxProfile This allows full filesystem access except for Homebrew. This is because we don't know where Xcode will be installed so we can't just whitelist it and its dependencies. --- pkgs/applications/editors/vim/macvim.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/applications/editors/vim/macvim.nix b/pkgs/applications/editors/vim/macvim.nix index 3df964361cc8..b639ab617849 100644 --- a/pkgs/applications/editors/vim/macvim.nix +++ b/pkgs/applications/editors/vim/macvim.nix @@ -133,6 +133,15 @@ stdenv.mkDerivation { find $out/share/man \( -name eVim.1 -or -name xxd.1 \) -delete ''; + # We rely on the user's Xcode install to build. It may be located in an arbitrary place, and + # it's not clear what system-level components it may require, so for now we'll just allow full + # filesystem access. This way the package still can't access the network. + sandboxProfile = '' + (allow file-read* file-write* process-exec mach-lookup) + ; block homebrew dependencies + (deny file-read* file-write* process-exec mach-lookup (subpath "/usr/local") (with no-log)) + ''; + meta = with stdenv.lib; { description = "Vim - the text editor - for macOS"; homepage = https://github.com/macvim-dev/macvim;