Fix __darwinAllowLocalNetworking sandbox

The sandbox rule `(allow network* (local ip))` doesn't do what it implies. Adding this rule permits all network traffic. We should be matching on (remote ip "localhost:*")` instead.
2024-09-18 10:30:23 -04:00 · 2024-02-25 23:00:57 +01:00 · 2024-02-25 23:00:57 +01:00 · d60c3f7f7c
parent d83008c3a7
commit d60c3f7f7c
1 changed files with 1 additions and 1 deletions
--- a/src/libstore/build/sandbox-defaults.sb
+++ b/src/libstore/build/sandbox-defaults.sb
@ -45,7 +45,7 @@ R""(
 ; allow it if the package explicitly asks for it.
 (if (param "_ALLOW_LOCAL_NETWORKING")
    (begin
-      (allow network* (local ip) (local tcp) (local udp))
+      (allow network* (remote ip "localhost:*"))

      ; Allow access to /etc/resolv.conf (which is a symlink to
      ; /private/var/run/resolv.conf).