start on sandbox stuff

2015-11-06 17:44:02 -08:00
parent c296f64f19
commit 914e9baefe
13 changed files with 251 additions and 64 deletions
--- a/pkgs/development/interpreters/perl/5.16/default.nix
+++ b/pkgs/development/interpreters/perl/5.16/default.nix
@@ -33,6 +33,8 @@ stdenv.mkDerivation rec {
    pwd="$(type -P pwd)"
    substituteInPlace dist/Cwd/Cwd.pm \
      --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'"
+    grep -R /bin/pwd .
+    exit 1
  '';

  # Build a thread-safe Perl with a dynamic libperls.o.  We need the
--- a/pkgs/development/interpreters/perl/5.20/default.nix
+++ b/pkgs/development/interpreters/perl/5.20/default.nix
@@ -44,12 +44,14 @@ stdenv.mkDerivation rec {
  # while at the same time erasing the PATH environment variable so it unconditionally
  # fails. The code in question is guarded by a check for Mac OS, but the patch below
  # doesn't have any runtime effect on other platforms.
-  postPatch = stdenv.lib.optional (stdenv.isDarwin && !stdenv.cc.nativeLibc) ''
+  postPatch = stdenv.lib.optional stdenv.isDarwin ''
    pwd="$(type -P pwd)"
    substituteInPlace dist/PathTools/Cwd.pm \
-      --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'"
+      --replace "/bin/pwd" "$pwd"
  '';

+  __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";
+
  # Build a thread-safe Perl with a dynamic libperls.o.  We need the
  # "installstyle" option to ensure that modules are put under
  # $out/lib/perl5 - this is the general default, but because $out