darwin sandbox #3429
darwin sandbox #3429
Conversation
This is used to determine the dependency tree of impure libraries so nix knows what paths to open in the sandbox. With the less restrictive defaults it isn't needed anymore.
Nix now runs builds with a pseudo-terminal to enable colored build output.
Sadly 10.15 changed /bin/sh to a shim which executes bash, this means it
can't be used anymore without also opening up the sandbox to allow bash.
Failed to exec /bin/bash as variant for /bin/sh (1: Operation not permitted).
|
|
||
| /* chroot-like behavior from Apple's sandbox */ | ||
| #if __APPLE__ | ||
| sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib"); |
There was a problem hiding this comment.
I would really prefer not to need bash here (#3223) but other than either disallowing /bin/sh completely or having nix depend on something like fuse bindfs I don't think we can work around it. 😕
There was a problem hiding this comment.
I really wish there was some way to say "allow /bin/bash but only when executed by /bin/sh" 🤷♀️
|
|
||
| ; This is used by /bin/sh on macOS 10.15 and later. | ||
| (allow file* | ||
| (literal "/private/var/select/sh")) |
There was a problem hiding this comment.
We actually want to explicitly disallow access to this, because this file is what’s used to control whether /bin/sh is bash or zsh. If we disallow access it will always resolve to bash. If we allow access then the user can configure it to be zsh instead.
There was a problem hiding this comment.
Thought I tested that and it failed, but looks like it's indeed only an error message.
$ sandbox-exec -f sandbox.sb /bin/sh -c "echo ok"
Error opening /private/var/select/sh: Operation not permitted
ok
Luckily it doesn't really matter and not having to spew out errors out by default is nice.
Failed to exec /bin/zsh as variant for /bin/sh (1: Operation not permitted). Falling back to /bin/bash.
ok
Fix NixOS#9769 As @abathur reports, it seems to be unused since NixOS#3429 in 2020.
Fix NixOS#9769 As Abathur reports, it seems to be unused since NixOS#3429 in 2020.
This should make the darwin sandbox functional by default, resolving the issues with dependency tracking of impurities like frameworks in favour of opening up the default sandbox a bit more.