Merge 9492a64005 into 806a91f7bf

2024-10-18 00:16:11 -04:00 · 2024-10-15 11:30:18 +02:00 · 2024-10-15 11:30:18 +02:00 · 60ac7837a3
parent 806a91f7bf 9492a64005
commit 60ac7837a3
1 changed files with 14 additions and 5 deletions
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -613,11 +613,20 @@ public:
          `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
          configured with the `sandbox-paths` option. This is useful to
          prevent undeclared dependencies on files in directories such as
-          `/usr/bin`. In addition, on Linux, builds run in private PID,
-          mount, network, IPC and UTS namespaces to isolate them from other
-          processes in the system (except that fixed-output derivations do
-          not run in private network namespace to ensure they can access the
-          network).
+          `/usr/bin`.
+
+          In addition, on Linux, builds run in private PID, mount, network,
+          IPC and UTS namespaces to isolate them from other processes in the
+          system (except that fixed-output derivations do not run in private
+          network namespace to ensure they can access the network).
+
+          On macOS, local port binding is disabled by default when the
+          sandbox is enabled. Derivations that have the
+          `__darwinAllowLocalNetworking` attribute set to `true` will have a
+          sandbox exception added to allow it.
+
+          The macOS sandbox has known limitations, and should not be
+          considered a strong security boundary.

          Currently, sandboxing only work on Linux and macOS. The use of a
          sandbox requires that Nix is run as root (so you should use the