StrixOS/build_soong
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c59a92cb1a73468a0e2af7102632dda48d811f5b
build_soong/ui/build/sandbox/darwin/global.sb
Dan Willemsen c59a92cb1a Revert "Revert "Add path interposer"" 
This reverts commit 96c957ae20.

Fixes issues on some machines where the socket in TMPDIR ended up with a
unix domain socket pathname over 107 characters long, which Go will
reject due to underlying limitations in the system calls. If this
happens, we'll fall back to opening the directory, then using
/proc/self/fd/#/<file>, or manually creating a similar symlink in /tmp.

Also fixes some issues on Mac where os.Executable returns the symlink
instead of the underlying file, sending a message over a unix domain
socket will block if the reader isn't reading, and sandboxing was
preventing us from running `ps`.

Test: m blueprint_tools
Test: m blueprint_tools on mac
Change-Id: Ib19ccfe10cb0a79f1476fb1d5cd20ed0495be367
2018-05-25 14:07:00 -07:00

47 lines
1.4 KiB
Plaintext
Raw Blame History

(version 1)
; TODO: (deny default)
(allow default (with report))
; Import apple-defined rules for bsd daemons
(import "bsd.sb")
; Allow reading of any file
(allow file-read*)
; Allow writing to $OUT_DIR and $DIST_DIR
(allow file-write*
(subpath (param "OUT_DIR"))
(subpath (param "DIST_DIR")))
; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore
(deny file-write* (with no-log)
(subpath (string-append (param "HOME") "/.oracle_jre_usage")))
; Allow writes to user-specific temp folders (Java stores hsperfdata there)
(allow file-write*
(subpath "/private/var/folders"))
; Allow writing to the terminal
(allow file-write-data
(subpath "/dev/tty"))
; Java
(allow mach-lookup
(global-name "com.apple.SystemConfiguration.configd") ; Java
(global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong
(global-name "com.apple.FSEvents") ; xcodebuild in Soong
(global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong
(global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong
)
; Allow suid /bin/ps to function
(allow process-exec (literal "/bin/ps") (with no-sandbox))
; Allow path_interposer unix domain socket without logging
(allow network-outbound (literal (string-append (param "OUT_DIR") "/.path_interposer_log")))
; Allow executing any file
(allow process-exec*)
(allow process-fork)
Reference in New Issue View Git Blame Copy Permalink