macvim: Add sandboxProfile
This allows full filesystem access except for Homebrew. This is because we don't know where Xcode will be installed so we can't just whitelist it and its dependencies.
This commit is contained in:
parent
6f3b44baa4
commit
cf6fd91804
1 changed files with 9 additions and 0 deletions
|
@ -133,6 +133,15 @@ stdenv.mkDerivation {
|
||||||
find $out/share/man \( -name eVim.1 -or -name xxd.1 \) -delete
|
find $out/share/man \( -name eVim.1 -or -name xxd.1 \) -delete
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# We rely on the user's Xcode install to build. It may be located in an arbitrary place, and
|
||||||
|
# it's not clear what system-level components it may require, so for now we'll just allow full
|
||||||
|
# filesystem access. This way the package still can't access the network.
|
||||||
|
sandboxProfile = ''
|
||||||
|
(allow file-read* file-write* process-exec mach-lookup)
|
||||||
|
; block homebrew dependencies
|
||||||
|
(deny file-read* file-write* process-exec mach-lookup (subpath "/usr/local") (with no-log))
|
||||||
|
'';
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
description = "Vim - the text editor - for macOS";
|
description = "Vim - the text editor - for macOS";
|
||||||
homepage = https://github.com/macvim-dev/macvim;
|
homepage = https://github.com/macvim-dev/macvim;
|
||||||
|
|
Loading…
Reference in a new issue