cherry-pick lib.sandbox into master

9 years ago · 7039b24cdc
parent c296f64f19
commit 7039b24cdc
2 changed files with 49 additions and 1 deletions
--- a/lib/default.nix
+++ b/lib/default.nix
@ -17,10 +17,11 @@ let
  systems = import ./systems.nix;
  customisation = import ./customisation.nix;
  licenses = import ./licenses.nix;
+  sandbox = import ./sandbox.nix;

 in
  { inherit trivial lists strings stringsWithDeps attrsets sources options
-      modules types meta debug maintainers licenses platforms systems;
+      modules types meta debug maintainers licenses platforms systems sandbox;
  }
  # !!! don't include everything at top-level; perhaps only the most
  # commonly used functions.
--- a/lib/sandbox.nix
+++ b/lib/sandbox.nix
@ -0,0 +1,47 @@
+with import ./strings.nix;
+
+/* Helpers for creating lisp S-exprs for the Apple sandbox
+
+lib.sandbox.allowFileRead [ "/usr/bin/file" ];
+  # => "(allow file-read* (literal \"/usr/bin/file\"))";
+
+lib.sandbox.allowFileRead {
+  literal = [ "/usr/bin/file" ];
+  subpath = [ "/usr/lib/system" ];
+}
+  # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
+*/
+
+let
+
+sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
+generateFileList = files:
+  if builtins.isList files
+    then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files
+    else if builtins.isString files
+      then generateFileList [ files ]
+      else concatStringsSep " " (
+        (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
+        (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
+      );
+applyToFiles = f: act: files: f "${act} ${generateFileList files}";
+genActions = actionName: let
+  action = feature: sexp [ actionName feature ];
+  self = {
+    "${actionName}" = action;
+    "${actionName}File" = applyToFiles action "file*";
+    "${actionName}FileRead" = applyToFiles action "file-read*";
+    "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
+    "${actionName}DirectoryList" = self."${actionName}FileReadMetadata";
+    "${actionName}FileWrite" = applyToFiles action "file-write*";
+    "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
+  };
+  in self;
+
+in
+
+genActions "allow" // genActions "deny" // {
+  importProfile = derivation: ''
+    (import "${derivation}")
+  '';
+}