Allow access to /dev/stderr in Darwin sandbox

We allow /dev/stdout, so why not this? Since it is process-local, anyway, should not be possible to escape sandbox using it.
2024-09-19 23:03:53 -04:00 · 2023-12-18 19:33:20 -05:00 · 2023-12-18 19:33:20 -05:00 · 7526b7ded6
parent 5d5b25f2e3
commit 7526b7ded6
1 changed files with 1 additions and 0 deletions
--- a/src/libstore/build/sandbox-defaults.sb
+++ b/src/libstore/build/sandbox-defaults.sb
@ -68,6 +68,7 @@ R""(
 (allow file*
       (literal "/dev/null")
       (literal "/dev/random")
+       (literal "/dev/stderr")
       (literal "/dev/stdin")
       (literal "/dev/stdout")
       (literal "/dev/tty")