macvim: Add sandboxProfile

This allows full filesystem access except for Homebrew. This is because
we don't know where Xcode will be installed so we can't just whitelist
it and its dependencies.
This commit is contained in:
Lily Ballard 2019-09-26 12:17:06 -07:00
parent 6f3b44baa4
commit cf6fd91804

View File

@ -133,6 +133,15 @@ stdenv.mkDerivation {
find $out/share/man \( -name eVim.1 -or -name xxd.1 \) -delete
'';
# We rely on the user's Xcode install to build. It may be located in an arbitrary place, and
# it's not clear what system-level components it may require, so for now we'll just allow full
# filesystem access. This way the package still can't access the network.
sandboxProfile = ''
(allow file-read* file-write* process-exec mach-lookup)
; block homebrew dependencies
(deny file-read* file-write* process-exec mach-lookup (subpath "/usr/local") (with no-log))
'';
meta = with stdenv.lib; {
description = "Vim - the text editor - for macOS";
homepage = https://github.com/macvim-dev/macvim;