Make the macOS sandbox stricter to workaround a macOS bug (fixes #4389)

[kit-ty-kate]

This is an attempt at fixing #4389
I've used dtrace on /usr/bin/security but I still can't find the exact point where something is written in that directory.
It looks related to something in /private/var/db/mds, probably a symlink to /private/var/folders.

In any case i've looked around and realized that macports had similar things so maybe it makes sense(?). They also have other things but I'm not sure we should allow even more: https://github.com/macports/macports-base/blob/2c6fc24ddd1d6961afa83c5b35be12224b6850f6/src/port1.0/portsandbox.tcl#L92

All in all I have no idea what this directory is supposed to be in the context of /usr/bin/security. Their commit adding it doesn't say anything either: macports/macports-base@e3eceea

Several blog posts in the wild are also trying to understand what's up with this directory:

• http://www.magnusviri.com/what-is-var-folders.html
• https://www.swiftforensics.com/2017/04/the-mystery-of-varfolders-on-osx.html

hier(7) says it's "per-user temporary files and caches", so allowing writes like macports does doesn't seem right to me.

However, I found out (late into writing this PR even ^^") that if we forbid reads into that directory, /usr/bin/security won't try to write in it and still succeeds.
This is most likely a bug in macOS itself but there we are!

cc @hannesm

[dra27]

What's up with the macOS test?

[kit-ty-kate]

I've sent a bug report to Apple about it btw.

[rjbou]

What's up with the macOS test?

Found it!

+ ${BASEDIR}/OPAM/opam-init/hooks/sandbox.sh "build" "sh" "-c" "echo SUCCESS | tee check-write"
- shell-init: error retrieving current directory: getcwd: cannot access parent directories: Operation not permitted
- SUCCESS

[rjbou]

So sandbox check is failing, and it is removed from config file.

[rjbou]

From tests, seems that this changes disable sandbox.