Darwin sandbox: Disallow creating setuid/setgid binaries
Suggested by Daiderd Jordan.
This commit is contained in:
parent
83eec5a997
commit
53a1644187
1 changed files with 4 additions and 0 deletions
|
@ -2656,6 +2656,10 @@ void DerivationGoal::runChild()
|
||||||
sandboxProfile += "(deny default (with no-log))\n";
|
sandboxProfile += "(deny default (with no-log))\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Disallow creating setuid/setgid binaries, since that
|
||||||
|
would allow breaking build user isolation. */
|
||||||
|
sandboxProfile += "(deny file-write-setugid)\n";
|
||||||
|
|
||||||
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
|
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
|
||||||
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
|
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
|
||||||
Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
|
Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
|
||||||
|
|
Loading…
Reference in a new issue