Sandbox prevent localhost listening on MacOS

ocaml / opam

opam is a source-based package manager. It supports multiple simultaneous compiler installations, flexible package constraints, and a Git-friendly development workflow.

https://opam.ocaml.org

Other

1.24k stars 357 forks source link

Sandbox prevent localhost listening on MacOS #5221

Open maiste opened 2 years ago

maiste commented 2 years ago

The MacOS sandbox seems to prevent opening a connection on localhost. On the CI MacOS worker, the localhost:port binding raised:

Unix.Unix_error(Unix.EPERM, "bind", "")

@kit-ty-kate executed a command to test it and it also failed:

% ~/.opam/opam-init/hooks/sandbox.sh build nc -l 8000
nc: Operation not permitted

Would there be a way to tweak sandbox-exec to support it?

kit-ty-kate commented 2 years ago

It looks like a hard problem to fix sadly :/ sandbox-exec does not seem to support creating a new network namespace like bubblewrap --unshare-net can. The best that can be done is:

(allow network* (local ip "localhost:*"))

but this would allow possible outside attackers to connect to the macOS machine remotely (I tested it) and maybe even highjacking some of the already open ports (not tested)

maiste commented 2 years ago

Spending some time looking at it this weekend; here is what I've found.

This issue has already been discussed in the past: https://github.com/ocaml/opam/issues/3659.
They have had the same issue in bazel as they wanted to allow local bindings, too(https://github.com/bazelbuild/bazel/issues/10068). Their solution seems to be:
```
(deny network*)
(allow network-inbound (local ip "localhost:*"))
(allow network* (remote ip "localhost:*"))
```