mirror of
https://github.com/NixOS/nix.git
synced 2024-11-28 17:52:25 +00:00
libstore: fix port binding in __darwinAllowLocalNetworking sandbox
In d60c3f7f7c
, this was changed to close a
hole in the sandbox. Unfortunately, this was too restrictive such that it
made local port binding fail, thus making derivations that needed
`__darwinAllowLocalNetworking` gain nearly nothing, and thus largely
fail (as the primary use for it is to enable port binding).
This unfortunately does mean that a sandboxed build process can, in
coordination with an actor outside the sandbox, escape the sandbox by
binding a port and connecting to it externally to send data. I do not
see a way around this with my experimentation and understanding of the
(quite undocumented) macOS sandbox profile API. Notably it seems not
possible to use the sandbox to do any of:
- Restrict the remote IP of inbound network requests
- Restrict the address being bound to
As such, the `(local ip "*:*")` here appears to be functionally no
different than `(local ip "localhost:*")` (however it *should* be
different than removing the filter entirely, as that would make it also
apply to non-IP networking). Doing `(allow network-inbound (require-all
(local ip "localhost:*") (remote ip "localhost:*")))` causes listening
to fail.
Note that `network-inbound` implies `network-bind`.
This commit is contained in:
parent
cfe66dbec3
commit
00f6db36fd
@ -49,6 +49,7 @@ R""(
|
|||||||
(if (param "_ALLOW_LOCAL_NETWORKING")
|
(if (param "_ALLOW_LOCAL_NETWORKING")
|
||||||
(begin
|
(begin
|
||||||
(allow network* (remote ip "localhost:*"))
|
(allow network* (remote ip "localhost:*"))
|
||||||
|
(allow network-inbound (local ip "*:*")) ; required to bind and listen
|
||||||
|
|
||||||
; Allow access to /etc/resolv.conf (which is a symlink to
|
; Allow access to /etc/resolv.conf (which is a symlink to
|
||||||
; /private/var/run/resolv.conf).
|
; /private/var/run/resolv.conf).
|
||||||
|
Loading…
Reference in New Issue
Block a user