mirror of
https://github.com/NixOS/nix.git
synced 2024-11-26 00:32:28 +00:00
Fix __darwinAllowLocalNetworking sandbox
The sandbox rule `(allow network* (local ip))` doesn't do what it implies. Adding this rule permits all network traffic. We should be matching on (remote ip "localhost:*")` instead.
This commit is contained in:
parent
d83008c3a7
commit
d60c3f7f7c
@ -45,7 +45,7 @@ R""(
|
|||||||
; allow it if the package explicitly asks for it.
|
; allow it if the package explicitly asks for it.
|
||||||
(if (param "_ALLOW_LOCAL_NETWORKING")
|
(if (param "_ALLOW_LOCAL_NETWORKING")
|
||||||
(begin
|
(begin
|
||||||
(allow network* (local ip) (local tcp) (local udp))
|
(allow network* (remote ip "localhost:*"))
|
||||||
|
|
||||||
; Allow access to /etc/resolv.conf (which is a symlink to
|
; Allow access to /etc/resolv.conf (which is a symlink to
|
||||||
; /private/var/run/resolv.conf).
|
; /private/var/run/resolv.conf).
|
||||||
|
Loading…
Reference in New Issue
Block a user