Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix __darwinAllowLocalNetworking sandbox #10078

Merged
merged 1 commit into from Mar 4, 2024
Merged

Fix __darwinAllowLocalNetworking sandbox #10078

merged 1 commit into from Mar 4, 2024

Conversation

szlend
Copy link
Member

@szlend szlend commented Feb 25, 2024
edited

Motivation

The sandbox rule (allow network* (local ip)) doesn't do what it implies. Using this rule permits all network traffic. We should be matching on (remote ip "localhost:*") instead.

Context

This is a first step towards fixing #6049

Similar issue experienced in Bazel bazelbuild/bazel#10068.

It's hard to tell because the sandbox is notoriously poorly documented by Apple, but it seems likely that this was working at some point and Apple made a breaking change. Either way, this has been a reported issue since at least 2019 (by other build systems), so I think it's safe to say that MacOS versions where this might still work are obsolete by now.

I tested the following scenarios with netcat on MacOS 14.3.1 (23D60) using sandbox-exec -f sandbox-defaults.sb ...:

  • tcp/udp
  • local/remote IPs
  • with and without _ALLOW_LOCAL_NETWORKING=1

Priorities and Process

Add 馃憤 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@szlend
Fix __darwinAllowLocalNetworking sandbox
d60c3f7 
The sandbox rule `(allow network* (local ip))` doesn't do what it
implies. Adding this rule permits all network traffic. We should be
matching on (remote ip "localhost:*")` instead.
thufschmitt
thufschmitt approved these changes Mar 4, 2024
View reviewed changes
Copy link
Member

@thufschmitt thufschmitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@thufschmitt thufschmitt merged commit 7764edf into NixOS:master Mar 4, 2024
11 checks passed
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-03-04-nix-team-meeting-minute-130/40830/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thufschmitt thufschmitt thufschmitt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Nix team
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@szlend @nixos-discourse @thufschmitt