diff options
| author | Jude Taylor <me@jude.bio> | 2015-11-19 11:33:21 -0800 |
|---|---|---|
| committer | Jude Taylor <me@jude.bio> | 2015-11-19 11:33:21 -0800 |
| commit | 7039b24cdcda600c82ad19ef197c47d8151ef367 (patch) | |
| tree | 7633d827fe3b3dc84bc6a1d7613c3f72300f1157 /lib | |
| parent | c296f64f196bbd69c4fdc336d17b553f3845cb1c (diff) | |
cherry-pick lib.sandbox into master
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/default.nix | 3 | ||||
| -rw-r--r-- | lib/sandbox.nix | 47 |
2 files changed, 49 insertions, 1 deletions
diff --git a/lib/default.nix b/lib/default.nix index cd0d8161c8cbb..32ac0c58af6cd 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -17,10 +17,11 @@ let systems = import ./systems.nix; customisation = import ./customisation.nix; licenses = import ./licenses.nix; + sandbox = import ./sandbox.nix; in { inherit trivial lists strings stringsWithDeps attrsets sources options - modules types meta debug maintainers licenses platforms systems; + modules types meta debug maintainers licenses platforms systems sandbox; } # !!! don't include everything at top-level; perhaps only the most # commonly used functions. diff --git a/lib/sandbox.nix b/lib/sandbox.nix new file mode 100644 index 0000000000000..414bf36f779f4 --- /dev/null +++ b/lib/sandbox.nix @@ -0,0 +1,47 @@ +with import ./strings.nix; + +/* Helpers for creating lisp S-exprs for the Apple sandbox + +lib.sandbox.allowFileRead [ "/usr/bin/file" ]; + # => "(allow file-read* (literal \"/usr/bin/file\"))"; + +lib.sandbox.allowFileRead { + literal = [ "/usr/bin/file" ]; + subpath = [ "/usr/lib/system" ]; +} + # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))" +*/ + +let + +sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; +generateFileList = files: + if builtins.isList files + then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files + else if builtins.isString files + then generateFileList [ files ] + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); +applyToFiles = f: act: files: f "${act} ${generateFileList files}"; +genActions = actionName: let + action = feature: sexp [ actionName feature ]; + self = { + "${actionName}" = action; + "${actionName}File" = applyToFiles action "file*"; + "${actionName}FileRead" = applyToFiles action "file-read*"; + "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}DirectoryList" = self."${actionName}FileReadMetadata"; + "${actionName}FileWrite" = applyToFiles action "file-write*"; + "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + }; + in self; + +in + +genActions "allow" // genActions "deny" // { + importProfile = derivation: '' + (import "${derivation}") + ''; +} |