mirror of
https://github.com/NixOS/nix.git
synced 2025-02-16 17:02:28 +00:00
a500c90375
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes:
|
||
|---|---|---|
| .. | ||
| build-remote | ||
| libcmd | ||
| libexpr | ||
| libexpr-c | ||
| libfetchers | ||
| libmain | ||
| libstore | ||
| libstore-c | ||
| libutil | ||
| libutil-c | ||
| nix | ||
| nix-build | ||
| nix-channel | ||
| nix-collect-garbage | ||
| nix-copy-closure | ||
| nix-env | ||
| nix-instantiate | ||
| nix-store | ||
| toml11 | ||