NixOS/nix
NixOS/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2024-09-19 10:50:24 -04:00
Code Activity

Document that the macOS sandbox is not a security boundary

Browse source 
See e.g. discussion in https://github.com/NixOS/nix/pull/11270
This commit is contained in:
Andrew Marshall 2024-09-11 17:29:11 -04:00
parent 34dd70d287
commit 9492a64005
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/libstore/globals.hh
View file

@ -625,6 +625,9 @@ public:
`__darwinAllowLocalNetworking` attribute set to `true` will have a `__darwinAllowLocalNetworking` attribute set to `true` will have a
sandbox exception added to allow it. sandbox exception added to allow it.
The macOS sandbox has known limitations, and should not be
considered a strong security boundary.
Currently, sandboxing only work on Linux and macOS. The use of a Currently, sandboxing only work on Linux and macOS. The use of a
sandbox requires that Nix is run as root (so you should use the sandbox requires that Nix is run as root (so you should use the
build users feature to perform the actual builds under different build users feature to perform the actual builds under different