Emily 87d2913bbf libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
(cherry picked from commit 9feee13952)
2024-07-05 15:59:25 +00:00
2021-06-01 11:42:38 +02:00
2023-12-13 16:25:18 -05:00
2024-02-12 14:22:06 +00:00
2024-01-08 19:46:38 +01:00
2024-06-27 11:07:06 +02:00
2024-01-15 08:04:46 -05:00
2024-01-29 18:59:20 +01:00
2024-02-12 14:22:06 +00:00
2022-01-24 13:28:21 +01:00

Nix

Open Collective supporters Test

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation and first steps

Visit nix.dev for installation instructions and beginner tutorials.

Full reference documentation can be found in the Nix manual.

Building And Developing

See our Hacking guide in our manual for instruction on how to set up a development environment and build Nix from source.

Contributing

Check the contributing guide if you want to get involved with developing Nix.

Additional Resources

License

Nix is released under the LGPL v2.1.

Description
Languages
C++ 78.1%
Shell 9.7%
Nix 7.5%
Meson 1.8%
C 1.3%
Other 1.6%