From 34dd70d2874a56cad9e412f264b209ddd19e89c9 Mon Sep 17 00:00:00 2001
From: Andrew Marshall <andrew@johnandrewmarshall.com>
Date: Wed, 11 Sep 2024 17:29:00 -0400
Subject: [PATCH 1/2] Document __darwinAllowLocalNetworking sandbox exception

Split the larger paragraph above so OS-specific bits are in separate
paragraphs. No changes to the split out text (just reformatting lines).
---
 src/libstore/globals.hh | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index be922c9f741..8765a6a62ee 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -613,11 +613,17 @@ public:
           `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
           configured with the `sandbox-paths` option. This is useful to
           prevent undeclared dependencies on files in directories such as
-          `/usr/bin`. In addition, on Linux, builds run in private PID,
-          mount, network, IPC and UTS namespaces to isolate them from other
-          processes in the system (except that fixed-output derivations do
-          not run in private network namespace to ensure they can access the
-          network).
+          `/usr/bin`.
+
+          In addition, on Linux, builds run in private PID, mount, network,
+          IPC and UTS namespaces to isolate them from other processes in the
+          system (except that fixed-output derivations do not run in private
+          network namespace to ensure they can access the network).
+
+          On macOS, local port binding is disabled by default when the
+          sandbox is enabled. Derivations that have the
+          `__darwinAllowLocalNetworking` attribute set to `true` will have a
+          sandbox exception added to allow it.
 
           Currently, sandboxing only work on Linux and macOS. The use of a
           sandbox requires that Nix is run as root (so you should use the

From 9492a64005d64020222efe0a7899f39838f80b69 Mon Sep 17 00:00:00 2001
From: Andrew Marshall <andrew@johnandrewmarshall.com>
Date: Wed, 11 Sep 2024 17:29:11 -0400
Subject: [PATCH 2/2] Document that the macOS sandbox is not a security
 boundary

See e.g. discussion in https://github.com/NixOS/nix/pull/11270
---
 src/libstore/globals.hh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 8765a6a62ee..9149e9f2031 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -625,6 +625,9 @@ public:
           `__darwinAllowLocalNetworking` attribute set to `true` will have a
           sandbox exception added to allow it.
 
+          The macOS sandbox has known limitations, and should not be
+          considered a strong security boundary.
+
           Currently, sandboxing only work on Linux and macOS. The use of a
           sandbox requires that Nix is run as root (so you should use the
           “build users” feature to perform the actual builds under different