Fix __darwinAllowLocalNetworking sandbox

The sandbox rule `(allow network* (local ip))` doesn't do what it
implies. Adding this rule permits all network traffic. We should be
matching on (remote ip "localhost:*")` instead.
This commit is contained in:
Simon Žlender 2024-02-25 23:00:57 +01:00
parent d83008c3a7
commit d60c3f7f7c

View File

@ -45,7 +45,7 @@ R""(
; allow it if the package explicitly asks for it. ; allow it if the package explicitly asks for it.
(if (param "_ALLOW_LOCAL_NETWORKING") (if (param "_ALLOW_LOCAL_NETWORKING")
(begin (begin
(allow network* (local ip) (local tcp) (local udp)) (allow network* (remote ip "localhost:*"))
; Allow access to /etc/resolv.conf (which is a symlink to ; Allow access to /etc/resolv.conf (which is a symlink to
; /private/var/run/resolv.conf). ; /private/var/run/resolv.conf).