fkorotkov · June 8, 2021 11:52
diff --git a/chamber.sh b/chamber.sh
 #!/usr/bin/env bash

 set -e

 # list of Nix packages to install
 NIX_PACKAGES="darwin.shell_cmds"

 XCODE_DERIVED_DATA="$HOME/Library/Developer/Xcode/DerivedData"
 WORKING_DIRECTORY=$PWD

 PROFILE="(version 1)
 (debug deny)

 ;; by default deny everything
 (deny default)

 ;; allow sending signals to itself and processes in the same group
 (allow signal (target same-sandbox))

 ;; allow outbound internet
 (allow network-outbound)

 ;; lookup of IPC communications/messages like PowerManagement
 (allow mach-lookup)

 ;; read POSIX shared memory
 (allow ipc-posix-shm-read-data)
 (allow ipc-posix-shm-read-metadata)

 ;; access to notifications
 (allow ipc-posix-shm
       (ipc-posix-name \"apple.shm.notification_center\")
       (ipc-posix-name \"com.apple.AppleDatabaseChanged\"))

 ;; allow execution of programs
 (allow process*)
 (allow process-exec (subpath \"/usr\"))

 ;; packages installed via Nix
 (allow process-exec (subpath \"/nix/store\"))
 ;; Xcode.
 (allow process-exec (subpath \"/Applications/Xcode.app/Contents\"))

 ; Allow reading system information like #CPUs, etc.
 (allow sysctl-read)

 ;; make FS read only
 (allow file-read* (subpath \"/\"))

 ; Standard devices.
 (allow file* (subpath \"/dev\"))

 ;; allow writes to temp directories
 (allow file* (subpath \"/private/tmp\"))
 (allow file* (subpath \"/private/var/folders\"))

 ;; all write to working dir and Xcode's Derived Data
 (allow file* (subpath \"$PWD\"))
 (allow file* (subpath \"$XCODE_DERIVED_DATA\"))

 ;; uncomment to dump traces
 ;; (trace \"trace_dumps.sb\")
 "

 PROFILE_LOCATION="$TMPDIR/chamber.sb"
 echo "$PROFILE" > $PROFILE_LOCATION

 # I wasn't able to successfully run xcode builds within a nix shell
 # that's why we use Nix to compute a PATH for the packages and then
 # use it for sandboxing.
 NIX_SHELL_PATH=$(nix-shell --packages ${NIX_PACKAGES} --pure --run "echo \$PATH")
 PATH=/bin:/usr/bin:/usr/local/bin/:$NIX_SHELL_PATH sandbox-exec -f $PROFILE_LOCATION $*
	#!/usr/bin/env bash

	set -e

	# list of Nix packages to install
	NIX_PACKAGES="darwin.shell_cmds"

	XCODE_DERIVED_DATA="$HOME/Library/Developer/Xcode/DerivedData"
	WORKING_DIRECTORY=$PWD

	PROFILE="(version 1)
	(debug deny)

	;; by default deny everything
	(deny default)

	;; allow sending signals to itself and processes in the same group
	(allow signal (target same-sandbox))

	;; allow outbound internet
	(allow network-outbound)

	;; lookup of IPC communications/messages like PowerManagement
	(allow mach-lookup)

	;; read POSIX shared memory
	(allow ipc-posix-shm-read-data)
	(allow ipc-posix-shm-read-metadata)

	;; access to notifications
	(allow ipc-posix-shm
	(ipc-posix-name \"apple.shm.notification_center\")
	(ipc-posix-name \"com.apple.AppleDatabaseChanged\"))

	;; allow execution of programs
	(allow process*)
	(allow process-exec (subpath \"/usr\"))

	;; packages installed via Nix
	(allow process-exec (subpath \"/nix/store\"))
	;; Xcode.
	(allow process-exec (subpath \"/Applications/Xcode.app/Contents\"))

	; Allow reading system information like #CPUs, etc.
	(allow sysctl-read)

	;; make FS read only
	(allow file-read* (subpath \"/\"))

	; Standard devices.
	(allow file* (subpath \"/dev\"))

	;; allow writes to temp directories
	(allow file* (subpath \"/private/tmp\"))
	(allow file* (subpath \"/private/var/folders\"))

	;; all write to working dir and Xcode's Derived Data
	(allow file* (subpath \"$PWD\"))
	(allow file* (subpath \"$XCODE_DERIVED_DATA\"))

	;; uncomment to dump traces
	;; (trace \"trace_dumps.sb\")
	"

	PROFILE_LOCATION="$TMPDIR/chamber.sb"
	echo "$PROFILE" > $PROFILE_LOCATION

	# I wasn't able to successfully run xcode builds within a nix shell
	# that's why we use Nix to compute a PATH for the packages and then
	# use it for sandboxing.
	NIX_SHELL_PATH=$(nix-shell --packages ${NIX_PACKAGES} --pure --run "echo \$PATH")
	PATH=/bin:/usr/bin:/usr/local/bin/:$NIX_SHELL_PATH sandbox-exec -f $PROFILE_LOCATION $*