Darwin sandbox: Use sandbox-defaults.sb

Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2025-07-07 01:51:47 +02:00 · 2017-05-30 17:40:12 +02:00 · 2017-05-30 17:40:12 +02:00 · acc889c821
commit acc889c821
parent 53a1644187
5 changed files with 19 additions and 16 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
                sandboxProfile += "(deny default (with no-log))\n";
            }

-            /* Disallow creating setuid/setgid binaries, since that
-               would allow breaking build user isolation. */
-            sandboxProfile += "(deny file-write-setugid)\n";
+            sandboxProfile +=
+#include "sandbox-defaults.sb.gen.hh"
+                ;

            /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
               to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */