NixOS/nix
NixOS/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2024-09-19 10:50:24 -04:00
Code Activity

Document __darwinAllowLocalNetworking sandbox exception

Browse source 
Split the larger paragraph above so OS-specific bits are in separate
paragraphs. No changes to the split out text (just reformatting lines).
This commit is contained in:
Andrew Marshall 2024-09-11 17:29:00 -04:00
parent 48477d4a3e
commit 34dd70d287
1 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/libstore/globals.hh
View file

@ -613,11 +613,17 @@ public:
`/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
configured with the `sandbox-paths` option. This is useful to configured with the `sandbox-paths` option. This is useful to
prevent undeclared dependencies on files in directories such as prevent undeclared dependencies on files in directories such as
`/usr/bin`. In addition, on Linux, builds run in private PID, `/usr/bin`.
mount, network, IPC and UTS namespaces to isolate them from other
processes in the system (except that fixed-output derivations do In addition, on Linux, builds run in private PID, mount, network,
not run in private network namespace to ensure they can access the IPC and UTS namespaces to isolate them from other processes in the
network). system (except that fixed-output derivations do not run in private
network namespace to ensure they can access the network).
On macOS, local port binding is disabled by default when the
sandbox is enabled. Derivations that have the
`__darwinAllowLocalNetworking` attribute set to `true` will have a
sandbox exception added to allow it.
Currently, sandboxing only work on Linux and macOS. The use of a Currently, sandboxing only work on Linux and macOS. The use of a
sandbox requires that Nix is run as root (so you should use the sandbox requires that Nix is run as root (so you should use the