From 914e9baefe9b606ed331ba427af50c41715f973d Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Fri, 6 Nov 2015 17:44:02 -0800 Subject: [PATCH] start on sandbox stuff --- lib/default.nix | 3 +- lib/sandbox.nix | 40 ++++++++++++ pkgs/build-support/fetchurl/default.nix | 4 ++ .../interpreters/perl/5.16/default.nix | 2 + .../interpreters/perl/5.20/default.nix | 6 +- .../CoreOSMakefiles/default.nix | 2 +- .../adv_cmds/default.nix | 65 +++++++++++++------ .../apple-source-releases/bsdmake/default.nix | 45 +++++++++++++ .../darwin/apple-source-releases/default.nix | 7 +- pkgs/stdenv/generic/default.nix | 26 ++++---- pkgs/stdenv/pure-darwin/default.nix | 46 ++++++------- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 65 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 +- 13 files changed, 251 insertions(+), 64 deletions(-) create mode 100644 lib/sandbox.nix create mode 100644 pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix create mode 100644 pkgs/stdenv/pure-darwin/standard-sandbox.sb diff --git a/lib/default.nix b/lib/default.nix index cd0d8161c8cb..32ac0c58af6c 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -17,10 +17,11 @@ let systems = import ./systems.nix; customisation = import ./customisation.nix; licenses = import ./licenses.nix; + sandbox = import ./sandbox.nix; in { inherit trivial lists strings stringsWithDeps attrsets sources options - modules types meta debug maintainers licenses platforms systems; + modules types meta debug maintainers licenses platforms systems sandbox; } # !!! don't include everything at top-level; perhaps only the most # commonly used functions. diff --git a/lib/sandbox.nix b/lib/sandbox.nix new file mode 100644 index 000000000000..2deee89e12c4 --- /dev/null +++ b/lib/sandbox.nix @@ -0,0 +1,40 @@ +with import ./strings.nix; + +/* Helpers for creating lisp S-exprs for the Apple sandbox + +lib.sandbox.allowFileRead [ "/usr/bin/file" ]; + # => "(allow file-read* (literal \"/usr/bin/file\"))"; + +lib.sandbox.allowFileRead { + literal = [ "/usr/bin/file" ]; + subpath = [ "/usr/lib/system" ]; +} + # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))" +*/ + +let + +sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; +generateFileList = files: + if builtins.isList files + then concatMapStringsSep " " (x: sexp [ "literal" x ]) files + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); +applyToFiles = f: act: files: f "${act} ${generateFileList files}"; +genActions = actionName: let + action = feature: sexp [ actionName feature ]; + self = { + "${actionName}" = action; + "${actionName}File" = applyToFiles action "file*"; + "${actionName}FileRead" = applyToFiles action "file-read*"; + "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}FileWrite" = applyToFiles action "file-write*"; + "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + }; + in self; + +in + +genActions "allow" // genActions "deny" diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index b1dc6e7be31b..96ad0c2864bb 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,6 +118,10 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; + __sandboxProfile = '' + (allow network-outbound) + ''; + inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; # Doing the download on a remote machine just duplicates network diff --git a/pkgs/development/interpreters/perl/5.16/default.nix b/pkgs/development/interpreters/perl/5.16/default.nix index 568025edfd4c..8a89d97a100e 100644 --- a/pkgs/development/interpreters/perl/5.16/default.nix +++ b/pkgs/development/interpreters/perl/5.16/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { pwd="$(type -P pwd)" substituteInPlace dist/Cwd/Cwd.pm \ --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" + grep -R /bin/pwd . + exit 1 ''; # Build a thread-safe Perl with a dynamic libperls.o. We need the diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index 141484814ea3..b2f43d176e81 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -44,12 +44,14 @@ stdenv.mkDerivation rec { # while at the same time erasing the PATH environment variable so it unconditionally # fails. The code in question is guarded by a check for Mac OS, but the patch below # doesn't have any runtime effect on other platforms. - postPatch = stdenv.lib.optional (stdenv.isDarwin && !stdenv.cc.nativeLibc) '' + postPatch = stdenv.lib.optional stdenv.isDarwin '' pwd="$(type -P pwd)" substituteInPlace dist/PathTools/Cwd.pm \ - --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" + --replace "/bin/pwd" "$pwd" ''; + __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under # $out/lib/perl5 - this is the general default, but because $out diff --git a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix index 9f6031771c2d..203ca010d62a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix @@ -1,7 +1,7 @@ { stdenv, appleDerivation, unifdef }: appleDerivation { - buildinputs = [ unifdef ]; + buildInputs = [ unifdef ]; phases = [ "unpackPhase" "installPhase" ]; diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 4bc3a7a7fa42..baeca0f6fe3b 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,32 +1,55 @@ -{ stdenv, appleDerivation, version }: +{ stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin +}: + +let recentAdvCmds = fetchzip { + url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; + sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; +}; + +in appleDerivation { + buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + + patchPhase = '' + substituteInPlace BSDMakefile \ + --replace chgrp true \ + --replace /Developer/Makefiles/bin/compress-man-pages.pl true \ + --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \ + --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \ + --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO" + + substituteInPlace Makefile --replace perl true + + substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" + + for subproject in colldef mklocale monetdef msgdef numericdef timedef; do + substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ + --replace /usr/share/locale "" \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace "rsync -a" "cp -r" + done + ''; -appleDerivation { - # Will override the name until we provide all of adv_cmds buildPhase = '' - pushd ps - cc -Os -Wall -I. -c -o fmt.o fmt.c - cc -Os -Wall -I. -c -o keyword.o keyword.c - cc -Os -Wall -I. -c -o nlist.o nlist.c - cc -Os -Wall -I. -c -o print.o print.c - cc -Os -Wall -I. -c -o ps.o ps.c - cc -Os -Wall -I. -c -o tasks.o tasks.c - cc -o ps fmt.o keyword.o nlist.o print.o ps.o tasks.o - popd + bsdmake -C colldef.tproj + bsdmake -C mklocale.tproj + bsdmake -C usr-share-locale.tproj - pushd locale - c++ -o locale locale.cc - popd + clang ${recentAdvCmds}/ps/*.c -o ps ''; installPhase = '' - mkdir -p $out/bin $out/share/man/man1 - - cp ps/ps $out/bin/ps - cp ps/ps.1 $out/share/man/man1 - cp locale/locale $out/bin/locale - cp locale/locale.1 $out/share/man/man1 + bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + install -d 0755 $ps/bin + install ps $ps/bin/ps ''; + outputs = [ + "ps" + "locale" + ]; + + # ps uses this syscall to get process info + __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix new file mode 100644 index 000000000000..dcbf8b433088 --- /dev/null +++ b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix @@ -0,0 +1,45 @@ +{ stdenv, appleDerivation, fetchurl, fetchpatch, makeWrapper }: + +appleDerivation { + buildInputs = [ makeWrapper ]; + + patchPhase = '' + substituteInPlace mk/bsd.prog.mk \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' "" + substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' "" + substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' "" + substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' "" + substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' "" + substituteInPlace mk/bsd.files.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + substituteInPlace mk/bsd.incs.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + ''; + + buildPhase = '' + objs=() + for file in $(find . -name '*.c'); do + obj="$(basename "$file" .c).o" + objs+=("$obj") + cc -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g + done + cc "''${objs[@]}" -o bsdmake + ''; + + installPhase = '' + install -d 0644 $out/bin + install -m 0755 bsdmake $out/bin + install -d 0644 $out/share/mk + install -m 0755 mk/* $out/share/mk + ''; + + preFixup = '' + wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk" + ''; +} diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 906e0ad2d544..b494f5ae3466 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -48,16 +48,19 @@ let IOKitSrcs = stdenv.lib.mapAttrs (name: value: if builtins.isFunction value then value name else value) IOKitSpecs; + adv_cmds = applePackage "adv_cmds" "119" "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {}; + packages = { - adv_cmds = applePackage "adv_cmds" "153" "174v6a4zkcm2pafzgdm6kvs48z5f911zl7k49hv7kjq6gm58w99v" {}; + inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; - CoreOSMakefiles = applePackage "CoreOSMakefiles" "76" "0sw3w3sjil0kvxz8y86b81sz82rcd1nijayki1a1bsnsf0hz6qbf" {}; + CoreOSMakefiles = applePackage "CoreOSMakefiles" "40" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {}; Csu = applePackage "Csu" "79" "1hif4dz23isgx85sgh11yg8amvp2ksvvhz3y5v07zppml7df2lnh" {}; dtrace = applePackage "dtrace" "118.1" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {}; dyld = applePackage "dyld" "239.4" "07z7lyv6x0f6gllb5hymccl31zisrdhz4gqp722xcs9nhsqaqvn7" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 246ca3696d58..c2324c86eb5a 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] +, __stdenvSandboxProfile ? "" +, __extraSandboxProfile ? "" }: let @@ -100,6 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] + , __sandboxProfile ? "" + , __propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -149,13 +153,14 @@ let lib.addPassthru (derivation ( (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" - "__impureHostDeps" "__propagatedImpureHostDeps"]) + "__impureHostDeps" "__propagatedImpureHostDeps" + "__sandboxProfile" "__propagatedSandboxProfile"]) // (let # TODO: remove lib.unique once nix has a list canonicalization primitive - computedImpureHostDeps = - lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); - computedPropagatedImpureHostDeps = - lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); + computedSandboxProfile = + lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + computedPropagatedSandboxProfile = + lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); in { builder = attrs.realBuilder or shell; @@ -173,13 +178,8 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ - "/dev/zero" - "/dev/random" - "/dev/urandom" - "/bin/sh" - ]; - __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; + __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; + __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -216,7 +216,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __impureHostDeps = __stdenvImpureHostDeps; + __sandboxProfile = __stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index d13dc98cd742..fb3559659e59 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,18 +5,7 @@ }: let - # libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land - libSystemClosure = [ - "/usr/lib/libSystem.dylib" - "/usr/lib/libSystem.B.dylib" - "/usr/lib/libobjc.A.dylib" - "/usr/lib/libobjc.dylib" - "/usr/lib/libauto.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libDiagnosticMessagesClient.dylib" - "/usr/lib/system" - ]; + libSystemProfile = builtins.readFile ./standard-sandbox.sb; fetch = { file, sha256, executable ? true }: import { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -46,7 +35,9 @@ in rec { ''; # The one dependency of /bin/sh :( - binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ]; + binShClosure = '' + (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib")) + ''; bootstrapTools = derivation rec { inherit system tarball; @@ -57,7 +48,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __impureHostDeps = binShClosure ++ libSystemClosure; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -100,8 +91,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + __stdenvSandboxProfile = binShClosure + libSystemProfile; + __extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -178,10 +169,14 @@ in rec { }; stage2 = with stage1; stageFun 2 stage1 { + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ xz libcxx libcxxabi icu ]) ++ - (with pkgs.darwin; [ dyld Libsystem CF ]); + (with pkgs.darwin; [ dyld Libsystem CF locale ]); overrides = persistent1; }; @@ -196,7 +191,7 @@ in rec { darwin = orig.darwin // { inherit (darwin) - dyld Libsystem xnu configd libdispatch libclosure launchd libiconv; + dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale; }; }; @@ -209,10 +204,14 @@ in rec { # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first. extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ icu bash libcxx libcxxabi ]) ++ - (with pkgs.darwin; [ dyld Libsystem ]); + (with pkgs.darwin; [ dyld Libsystem locale ]); overrides = persistent2; }; @@ -230,13 +229,16 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem libiconv; + inherit (darwin) dyld Libsystem libiconv locale; }; }; stage4 = with stage3; stageFun 4 stage3 { shell = "${pkgs.bash}/bin/bash"; extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; overrides = persistent3; }; @@ -263,8 +265,8 @@ in rec { preHook = commonPreHook; - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + __stdenvSandboxProfile = binShClosure + libSystemProfile; + __extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb new file mode 100644 index 000000000000..670ab01f3477 --- /dev/null +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -0,0 +1,65 @@ +(define TMPDIR (param "_GLOBAL_TMP_DIR")) + +; obvious +(allow process-fork) + +; allow reading system information like #CPUs, etc. +(allow sysctl-read) + +; IPC +(allow ipc-posix-sem) + +; Unix sockets +(allow system-socket) + +; all runtime dependencies of libSystem.dylib +(allow file-read* + (literal "/usr/lib/libSystem.dylib") + (literal "/usr/lib/libSystem.B.dylib") + (literal "/usr/lib/libobjc.A.dylib") + (literal "/usr/lib/libobjc.dylib") + (literal "/usr/lib/libauto.dylib") + (literal "/usr/lib/libc++abi.dylib") + (literal "/usr/lib/libc++.1.dylib") + (literal "/usr/lib/libDiagnosticMessagesClient.dylib") + (subpath "/usr/lib/system")) + +; tmp +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) + +; clang likes to read the system version +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) + +; used for bootstrap builders +(allow process-exec* (literal "/bin/sh")) + +; standard devices +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) + +; does nothing, but reduces build noise +(allow file* (literal "/dev/dtracehelper")) + +; ICU data and zoneinfo data are hardcoded +; both are in libicucore and zoneinfo is in libsystem_c as well +(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) + +; lots of autoconf projects want to list this directory +(allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) + +; mute annoying failures +(deny file-read-metadata (with no-log) + (literal "/etc") + (subpath "/usr/bin")) + +(deny process-exec* (with no-log) + (literal "/usr/bin/arch") + (literal "/usr/bin/hostinfo") + (literal "/usr/bin/uname")) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index fe750870f57e..4531fbcc183b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1553,7 +1553,7 @@ let garmintools = callPackage ../development/libraries/garmintools {}; gawk = callPackage ../tools/text/gawk { - locale = darwin.adv_cmds; + inherit (darwin) locale; }; gawkInteractive = appendToName "interactive" @@ -5486,7 +5486,7 @@ let cmake = callPackage ../development/tools/build-managers/cmake { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmakeCurses = cmake.override { useNcurses = true; };