mirror of
https://github.com/NixOS/nix
synced 2024-09-19 10:50:24 -04:00
Document that the macOS sandbox is not a security boundary
See e.g. discussion in https://github.com/NixOS/nix/pull/11270
This commit is contained in:
parent
34dd70d287
commit
9492a64005
|
@ -625,6 +625,9 @@ public:
|
||||||
`__darwinAllowLocalNetworking` attribute set to `true` will have a
|
`__darwinAllowLocalNetworking` attribute set to `true` will have a
|
||||||
sandbox exception added to allow it.
|
sandbox exception added to allow it.
|
||||||
|
|
||||||
|
The macOS sandbox has known limitations, and should not be
|
||||||
|
considered a strong security boundary.
|
||||||
|
|
||||||
Currently, sandboxing only work on Linux and macOS. The use of a
|
Currently, sandboxing only work on Linux and macOS. The use of a
|
||||||
sandbox requires that Nix is run as root (so you should use the
|
sandbox requires that Nix is run as root (so you should use the
|
||||||
“build users” feature to perform the actual builds under different
|
“build users” feature to perform the actual builds under different
|
||||||
|
|
Loading…
Reference in a new issue