Open maiste opened 2 years ago
It looks like a hard problem to fix sadly :/
sandbox-exec
does not seem to support creating a new network namespace like bubblewrap --unshare-net
can.
The best that can be done is:
(allow network* (local ip "localhost:*"))
but this would allow possible outside attackers to connect to the macOS machine remotely (I tested it) and maybe even highjacking some of the already open ports (not tested)
Spending some time looking at it this weekend; here is what I've found.
bazel
as they wanted to allow local bindings, too(https://github.com/bazelbuild/bazel/issues/10068). Their solution seems to be:
(deny network*)
(allow network-inbound (local ip "localhost:*"))
(allow network* (remote ip "localhost:*"))
The MacOS sandbox seems to prevent opening a connection on
localhost
. On the CI MacOS worker, thelocalhost:port
binding raised:@kit-ty-kate executed a command to test it and it also failed:
Would there be a way to tweak
sandbox-exec
to support it?