Skip to content

Commit

Permalink
Fix ocaml#3659: Sandboxing on MacOS is too strict (ocaml#3663)
Browse files Browse the repository at this point in the history 
This commit allows applications to use unix socket.

It also allows them to write to /dev/dtracehelper. This permission is
not strictly needed, as no program is broken by a denied access. However,
MacOS' dynamic loader (hence almost all the applications) wants to access
it, so the system logs are flooded by messages such as "SandboxViolation:
sh(49331) deny(1) file-write-data /dev/dtracehelper" when using opam.
  • Loading branch information
@silene @rjbou
silene authored and rjbou committed Dec 6, 2018
1 parent 4f3d616 commit 62753f8
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/state/shellscripts/sandbox_exec.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
set -ue

POL='(version 1)(allow default)(deny network*)(deny file-write*)'
POL="$POL"'(allow file-write* (literal "/dev/null"))'
POL="$POL"'(allow network* (remote unix))'
POL="$POL"'(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))'

add_mounts() {
local DIR="$(cd "$2" && pwd -P)"
Expand Down

0 comments on commit 62753f8

Please sign in to comment.