mirror of
https://github.com/NixOS/nix.git
synced 2024-11-25 08:12:29 +00:00
libstore: fix port binding in __darwinAllowLocalNetworking sandbox
Ind60c3f7f7c
, this was changed to close a hole in the sandbox. Unfortunately, this was too restrictive such that it made local port binding fail, thus making derivations that needed `__darwinAllowLocalNetworking` gain nearly nothing, and thus largely fail (as the primary use for it is to enable port binding). This unfortunately does mean that a sandboxed build process can, in coordination with an actor outside the sandbox, escape the sandbox by binding a port and connecting to it externally to send data. I do not see a way around this with my experimentation and understanding of the (quite undocumented) macOS sandbox profile API. Notably it seems not possible to use the sandbox to do any of: - Restrict the remote IP of inbound network requests - Restrict the address being bound to As such, the `(local ip "*:*")` here appears to be functionally no different than `(local ip "localhost:*")` (however it *should* be different than removing the filter entirely, as that would make it also apply to non-IP networking). Doing `(allow network-inbound (require-all (local ip "localhost:*") (remote ip "localhost:*")))` causes listening to fail. Note that `network-inbound` implies `network-bind`. (cherry picked from commit00f6db36fd
)
This commit is contained in:
parent
8ac1a39722
commit
53ce99f27b
@ -46,6 +46,7 @@ R""(
|
|||||||
(if (param "_ALLOW_LOCAL_NETWORKING")
|
(if (param "_ALLOW_LOCAL_NETWORKING")
|
||||||
(begin
|
(begin
|
||||||
(allow network* (remote ip "localhost:*"))
|
(allow network* (remote ip "localhost:*"))
|
||||||
|
(allow network-inbound (local ip "*:*")) ; required to bind and listen
|
||||||
|
|
||||||
; Allow access to /etc/resolv.conf (which is a symlink to
|
; Allow access to /etc/resolv.conf (which is a symlink to
|
||||||
; /private/var/run/resolv.conf).
|
; /private/var/run/resolv.conf).
|
||||||
|
Loading…
Reference in New Issue
Block a user