From 7541129f04ce460b13fe4876afa600e8735c0afd Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:35:29 +0100
Subject: [PATCH] Fix `curl` with `c-ares` failing to resolve DNS inside
 sandbox on macOS

---
 src/libstore/unix/build/sandbox-network.sb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libstore/unix/build/sandbox-network.sb b/src/libstore/unix/build/sandbox-network.sb
index 335edbaed..a504027c7 100644
--- a/src/libstore/unix/build/sandbox-network.sb
+++ b/src/libstore/unix/build/sandbox-network.sb
@@ -16,6 +16,7 @@ R""(
 
 ; Allow DNS lookups.
 (allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
+(allow mach-lookup (global-name "com.apple.SystemConfiguration.DNSConfiguration"))
 
 ; Allow access to trustd.
 (allow mach-lookup (global-name "com.apple.trustd"))