From 34dd70d2874a56cad9e412f264b209ddd19e89c9 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Wed, 11 Sep 2024 17:29:00 -0400 Subject: [PATCH] Document __darwinAllowLocalNetworking sandbox exception Split the larger paragraph above so OS-specific bits are in separate paragraphs. No changes to the split out text (just reformatting lines). --- src/libstore/globals.hh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index be922c9f7..8765a6a62 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -613,11 +613,17 @@ public: `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths configured with the `sandbox-paths` option. This is useful to prevent undeclared dependencies on files in directories such as - `/usr/bin`. In addition, on Linux, builds run in private PID, - mount, network, IPC and UTS namespaces to isolate them from other - processes in the system (except that fixed-output derivations do - not run in private network namespace to ensure they can access the - network). + `/usr/bin`. + + In addition, on Linux, builds run in private PID, mount, network, + IPC and UTS namespaces to isolate them from other processes in the + system (except that fixed-output derivations do not run in private + network namespace to ensure they can access the network). + + On macOS, local port binding is disabled by default when the + sandbox is enabled. Derivations that have the + `__darwinAllowLocalNetworking` attribute set to `true` will have a + sandbox exception added to allow it. Currently, sandboxing only work on Linux and macOS. The use of a sandbox requires that Nix is run as root (so you should use the