wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-08 11:03:54 +02:00
Code Activity

sandbox: allow SystemVersionCompat.plist on Darwin

Browse source 
For whatever reason, many programs trying to access SystemVersion.plist
also open SystemVersionCompat.plist; this includes Python code and
coreutils’ `cat(1)` (but not the native macOS `/bin/cat`). Illustratory
`dtruss(1m)` output:

    open("/System/Library/CoreServices/SystemVersion.plist\0", 0x0, 0x0)		 = 3 0
    open("/System/Library/CoreServices/SystemVersionCompat.plist\0", 0x0, 0x0)		 = 4 0

I assume this is a Big Sur change relating to the 10.16.x/11.x
version compatibility divide and that it’s something along the lines of
a hook inside libSystem.

Fixes a lot of sandboxed package builds under Big Sur.

(cherry picked from commit 559a504da7)
Signed-off-by: Domen Kožar <domen@dev.si>
This commit is contained in:
Emily 2021-05-17 00:15:30 +01:00 committed by Domen Kožar
parent 405d78eafc
commit 76c7f5f215
No known key found for this signature in database
GPG key ID: C2FFBCAFD2C24246
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/libstore/sandbox-defaults.sb
View file

@ -32,7 +32,9 @@
(literal "/tmp") (subpath TMPDIR)) (literal "/tmp") (subpath TMPDIR))
; Some packages like to read the system version. ; Some packages like to read the system version.
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) (allow file-read*
(literal "/System/Library/CoreServices/SystemVersion.plist")
(literal "/System/Library/CoreServices/SystemVersionCompat.plist"))
; Without this line clang cannot write to /dev/null, breaking some configure tests. ; Without this line clang cannot write to /dev/null, breaking some configure tests.
(allow file-read-metadata (literal "/dev")) (allow file-read-metadata (literal "/dev"))