Deny unix-socket in sandbox script by default. Fixes #1881.

-- MOS_MIGRATED_REVID=135360041
author: Yue Gan <yueg@google.com> 2016-10-06 15:13:28 +0000
committer: Damien Martin-Guillerez <dmarting@google.com> 2016-10-07 08:06:04 +0000
commit: 69e172698af83488b267d3070d90f9dd6fb00cbb (patch)
tree: f867247a585b53fd4fe97ecbd738d0b8c4b43dc2
parent: 651b190d1f146b4a211cf4443319ed598157e229 (diff)
1 files changed, 0 insertions, 2 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
index c9c330d25f..c8387581ff 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
@@ -129,8 +129,6 @@ final class DarwinSandboxRunner extends SandboxRunner {
 
       out.println("(allow network* (local ip \"localhost:*\"))");
       out.println("(allow network* (remote ip \"localhost:*\"))");
-      out.println("(allow network* (remote unix-socket (subpath \"/\")))");
-      out.println("(allow network* (local unix-socket (subpath \"/\")))");
 
       for (Path inaccessiblePath : inaccessiblePaths) {
         out.println("(deny file-read* (subpath \"" + inaccessiblePath + "\"))");
author	Yue Gan <yueg@google.com>	2016-10-06 15:13:28 +0000
committer	Damien Martin-Guillerez <dmarting@google.com>	2016-10-07 08:06:04 +0000
commit	69e172698af83488b267d3070d90f9dd6fb00cbb (patch)
tree	f867247a585b53fd4fe97ecbd738d0b8c4b43dc2
parent	651b190d1f146b4a211cf4443319ed598157e229 (diff)