diff options
author | Lily Ballard <lily@sb.org> | 2019-09-26 12:17:06 -0700 |
---|---|---|
committer | Lily Ballard <lily@sb.org> | 2019-09-27 09:40:25 -0700 |
commit | cf6fd918046f5281409c028126f5a02ec0bbefa4 (patch) | |
tree | 6a9ab2c8ab52cc28f467a659bf20cb1ae9055a40 /pkgs | |
parent | 6f3b44baa4f446cd920a14eb7a2f1f3a54d45851 (diff) | |
download | nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.tar nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.tar.gz nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.tar.bz2 nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.tar.lz nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.tar.xz nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.tar.zst nixlib-cf6fd918046f5281409c028126f5a02ec0bbefa4.zip |
macvim: Add sandboxProfile
This allows full filesystem access except for Homebrew. This is because we don't know where Xcode will be installed so we can't just whitelist it and its dependencies.
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/applications/editors/vim/macvim.nix | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/pkgs/applications/editors/vim/macvim.nix b/pkgs/applications/editors/vim/macvim.nix index 3df964361cc8..b639ab617849 100644 --- a/pkgs/applications/editors/vim/macvim.nix +++ b/pkgs/applications/editors/vim/macvim.nix @@ -133,6 +133,15 @@ stdenv.mkDerivation { find $out/share/man \( -name eVim.1 -or -name xxd.1 \) -delete ''; + # We rely on the user's Xcode install to build. It may be located in an arbitrary place, and + # it's not clear what system-level components it may require, so for now we'll just allow full + # filesystem access. This way the package still can't access the network. + sandboxProfile = '' + (allow file-read* file-write* process-exec mach-lookup) + ; block homebrew dependencies + (deny file-read* file-write* process-exec mach-lookup (subpath "/usr/local") (with no-log)) + ''; + meta = with stdenv.lib; { description = "Vim - the text editor - for macOS"; homepage = https://github.com/macvim-dev/macvim; |