sandbox: fix /bin/sh on catalina

Sadly 10.15 changed /bin/sh to a shim which executes bash, this means it can't be used anymore without also opening up the sandbox to allow bash. Failed to exec /bin/bash as variant for /bin/sh (1: Operation not permitted).
domenkozar · Mar 20, 2020 · 2e9bc12 · 2e9bc12
1 parent f6c122a
commit 2e9bc12
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
@@ -64,7 +64,7 @@ Settings::Settings()
 
 /* chroot-like behavior from Apple's sandbox */
 #if __APPLE__
-    sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /private/tmp /private/var/tmp /usr/lib");
+    sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib");
     allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh");
 #endif
 }

diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb
@@ -91,3 +91,7 @@
        (literal "/etc")
        (literal "/var")
        (literal "/private/var/tmp"))
+
+; This is used by /bin/sh on macOS 10.15 and later.
+(allow file*
+       (literal "/private/var/select/sh"))