mirror of
https://github.com/NixOS/nix
synced 2024-09-19 10:50:24 -04:00
Document that the macOS sandbox is not a security boundary
See e.g. discussion in https://github.com/NixOS/nix/pull/11270
This commit is contained in:
parent
34dd70d287
commit
9492a64005
|
@ -625,6 +625,9 @@ public:
|
|||
`__darwinAllowLocalNetworking` attribute set to `true` will have a
|
||||
sandbox exception added to allow it.
|
||||
|
||||
The macOS sandbox has known limitations, and should not be
|
||||
considered a strong security boundary.
|
||||
|
||||
Currently, sandboxing only work on Linux and macOS. The use of a
|
||||
sandbox requires that Nix is run as root (so you should use the
|
||||
“build users” feature to perform the actual builds under different
|
||||
|
|
Loading…
Reference in a new issue