Skip to content

[2.5 backport] Allow the macOS sandbox to write in the /var/folders/ and /var/db/mds/ directories#6775

Merged
kit-ty-kate merged 1 commit intoocaml:2.5from
kit-ty-kate:2.5-relax-sandbox-macos
Nov 4, 2025
Merged

[2.5 backport] Allow the macOS sandbox to write in the /var/folders/ and /var/db/mds/ directories#6775
kit-ty-kate merged 1 commit intoocaml:2.5from
kit-ty-kate:2.5-relax-sandbox-macos

Conversation

@kit-ty-kate
Copy link
Copy Markdown
Member

@kit-ty-kate kit-ty-kate commented Nov 4, 2025

Backport of #4797 to the 2.5 branch

@kit-ty-kate
Allow the macOS sandbox to write in the /var/folders/ and `/var/db/…
e792475 
…mds/` directories

It is required by some of macOS core tools such as security(1) and
previous TMPDIR stored in /var/folders/*/*/T/ have been seen accessed by
xcode in the wild on occasion.

While the /var/folders/*/*/C/ directory contain things that are kept
indefinitely, these files are in theory understood by applications to be
writeable by anyone and thus not trusted.

The mds subdirectory is a cache used to search for files in the system.

Both of these are part of other tools that use sandbox-exec such as
MacPorts. See for example:

https://github.com/macports/macports-base/blob/2c6fc24ddd1d6961afa83c5b35be12224b6850f6/src/port1.0/portsandbox.tcl#L92
@kit-ty-kate kit-ty-kate added this to the 2.5.0~alpha2 milestone Nov 4, 2025
@kit-ty-kate kit-ty-kate requested a review from rjbou November 4, 2025 15:43
@kit-ty-kate kit-ty-kate mentioned this pull request Nov 4, 2025
Merged
@kit-ty-kate kit-ty-kate changed the title Allow the macOS sandbox to write in the /var/folders/ and /var/db/mds/ directories [2.5 backport] Allow the macOS sandbox to write in the /var/folders/ and /var/db/mds/ directories Nov 4, 2025
@kit-ty-kate kit-ty-kate changed the base branch from master to 2.5 November 4, 2025 15:44
@kit-ty-kate
Copy link
Copy Markdown
Member Author

kit-ty-kate commented Nov 4, 2025

The Doc-* jobs fail due to the change of target branch after the last push (BASE_REF_SHA: ${{ github.event.pull_request.base.sha }} is set before that and gets the wrong sha)

@kit-ty-kate kit-ty-kate merged commit 7150cda into ocaml:2.5 Nov 4, 2025
82 of 86 checks passed
@kit-ty-kate kit-ty-kate deleted the 2.5-relax-sandbox-macos branch November 4, 2025 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjbou rjbou rjbou approved these changes

Assignees

No one assigned

Labels

AREA: SANDBOX

Projects

None yet

Milestone

2.5.0~beta1

Development

Successfully merging this pull request may close these issues.

2 participants

@kit-ty-kate @rjbou