start on sandbox stuff

lib/default.nix

@@ -17,10 +17,11 @@ let
   systems = import ./systems.nix;
   customisation = import ./customisation.nix;
   licenses = import ./licenses.nix;
+  sandbox = import ./sandbox.nix;
 
 in
   { inherit trivial lists strings stringsWithDeps attrsets sources options
-      modules types meta debug maintainers licenses platforms systems;
+      modules types meta debug maintainers licenses platforms systems sandbox;
   }
   # !!! don't include everything at top-level; perhaps only the most
   # commonly used functions.

lib/sandbox.nix

@@ -0,0 +1,40 @@
+with import ./strings.nix;
+
+/* Helpers for creating lisp S-exprs for the Apple sandbox
+
+lib.sandbox.allowFileRead [ "/usr/bin/file" ];
+  # => "(allow file-read* (literal \"/usr/bin/file\"))";
+
+lib.sandbox.allowFileRead {
+  literal = [ "/usr/bin/file" ];
+  subpath = [ "/usr/lib/system" ];
+}
+  # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
+*/
+
+let
+
+sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
+generateFileList = files:
+  if builtins.isList files
+    then concatMapStringsSep " " (x: sexp [ "literal" x ]) files
+    else concatStringsSep " " (
+      (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
+      (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
+    );
+applyToFiles = f: act: files: f "${act} ${generateFileList files}";
+genActions = actionName: let
+  action = feature: sexp [ actionName feature ];
+  self = {
+    "${actionName}" = action;
+    "${actionName}File" = applyToFiles action "file*";
+    "${actionName}FileRead" = applyToFiles action "file-read*";
+    "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
+    "${actionName}FileWrite" = applyToFiles action "file-write*";
+    "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
+  };
+  in self;
+
+in
+
+genActions "allow" // genActions "deny"

pkgs/build-support/fetchurl/default.nix

@@ -118,6 +118,10 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s
 
   outputHashMode = if recursiveHash then "recursive" else "flat";
 
+  __sandboxProfile = ''
+    (allow network-outbound)
+  '';
+
   inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp;
 
   # Doing the download on a remote machine just duplicates network

pkgs/development/interpreters/perl/5.16/default.nix

@@ -33,6 +33,8 @@ stdenv.mkDerivation rec {
     pwd="$(type -P pwd)"
     substituteInPlace dist/Cwd/Cwd.pm \
       --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'"
+    grep -R /bin/pwd .
+    exit 1
   '';
 
   # Build a thread-safe Perl with a dynamic libperls.o.  We need the

pkgs/development/interpreters/perl/5.20/default.nix

@@ -44,12 +44,14 @@ stdenv.mkDerivation rec {
   # while at the same time erasing the PATH environment variable so it unconditionally
   # fails. The code in question is guarded by a check for Mac OS, but the patch below
   # doesn't have any runtime effect on other platforms.
-  postPatch = stdenv.lib.optional (stdenv.isDarwin && !stdenv.cc.nativeLibc) ''
+  postPatch = stdenv.lib.optional stdenv.isDarwin ''
     pwd="$(type -P pwd)"
     substituteInPlace dist/PathTools/Cwd.pm \
-      --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'"
+      --replace "/bin/pwd" "$pwd"
   '';
 
+  __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";
+
   # Build a thread-safe Perl with a dynamic libperls.o.  We need the
   # "installstyle" option to ensure that modules are put under
   # $out/lib/perl5 - this is the general default, but because $out

pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix

@@ -1,7 +1,7 @@
 { stdenv, appleDerivation, unifdef }:
 
 appleDerivation {
-  buildinputs = [ unifdef ];
+  buildInputs = [ unifdef ];
 
   phases = [ "unpackPhase" "installPhase" ];
 

pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix

@@ -1,32 +1,55 @@
-{ stdenv, appleDerivation, version }:
+{ stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin
+}:
+
+let recentAdvCmds = fetchzip {
+  url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz";
+  sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn";
+};
+
+in appleDerivation {
+  buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ];
+
+  patchPhase = ''
+    substituteInPlace BSDMakefile \
+      --replace chgrp true \
+      --replace /Developer/Makefiles/bin/compress-man-pages.pl true \
+      --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \
+      --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \
+      --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO"
+
+    substituteInPlace Makefile --replace perl true
+
+    substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl"
+
+    for subproject in colldef mklocale monetdef msgdef numericdef timedef; do
+      substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \
+        --replace /usr/share/locale "" \
+        --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
+        --replace "rsync -a" "cp -r"
+    done
+  '';
 
-appleDerivation {
-  # Will override the name until we provide all of adv_cmds
   buildPhase = ''
-    pushd ps
-    cc -Os -Wall -I. -c -o fmt.o fmt.c
-    cc -Os -Wall -I. -c -o keyword.o keyword.c
-    cc -Os -Wall -I. -c -o nlist.o nlist.c
-    cc -Os -Wall -I. -c -o print.o print.c
-    cc -Os -Wall -I. -c -o ps.o ps.c
-    cc -Os -Wall -I. -c -o tasks.o tasks.c
-    cc -o ps fmt.o keyword.o nlist.o print.o ps.o tasks.o
-    popd
+    bsdmake -C colldef.tproj
+    bsdmake -C mklocale.tproj
+    bsdmake -C usr-share-locale.tproj
 
-    pushd locale
-    c++ -o locale locale.cc
-    popd
+    clang ${recentAdvCmds}/ps/*.c -o ps
   '';
 
   installPhase = ''
-    mkdir -p $out/bin $out/share/man/man1
-
-    cp ps/ps   $out/bin/ps
-    cp ps/ps.1 $out/share/man/man1
-    cp locale/locale   $out/bin/locale
-    cp locale/locale.1 $out/share/man/man1
+    bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale"
+    install -d 0755 $ps/bin
+    install ps $ps/bin/ps
   '';
 
+  outputs = [
+    "ps"
+    "locale"
+  ];
+
+  # ps uses this syscall to get process info
+  __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";
 
   meta = {
     platforms = stdenv.lib.platforms.darwin;

pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix

@@ -0,0 +1,45 @@
+{ stdenv, appleDerivation, fetchurl, fetchpatch, makeWrapper }:
+
+appleDerivation {
+  buildInputs = [ makeWrapper ];
+
+  patchPhase = ''
+    substituteInPlace mk/bsd.prog.mk \
+      --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
+      --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' ""
+    substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' ""
+    substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' ""
+    substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' ""
+    substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' ""
+    substituteInPlace mk/bsd.files.mk \
+      --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
+      --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
+    substituteInPlace mk/bsd.incs.mk \
+      --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
+      --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
+  '';
+
+  buildPhase = ''
+    objs=()
+    for file in $(find . -name '*.c'); do
+      obj="$(basename "$file" .c).o"
+      objs+=("$obj")
+      cc -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g
+    done
+    cc "''${objs[@]}" -o bsdmake
+  '';
+
+  installPhase = ''
+    install -d 0644 $out/bin
+    install -m 0755 bsdmake $out/bin
+    install -d 0644 $out/share/mk
+    install -m 0755 mk/* $out/share/mk
+  '';
+
+  preFixup = ''
+    wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk"
+  '';
+}

pkgs/os-specific/darwin/apple-source-releases/default.nix

@@ -48,16 +48,19 @@ let
 
   IOKitSrcs = stdenv.lib.mapAttrs (name: value: if builtins.isFunction value then value name else value) IOKitSpecs;
 
+  adv_cmds        = applePackage "adv_cmds"          "119"         "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {};
+
   packages = {
-    adv_cmds        = applePackage "adv_cmds"          "153"         "174v6a4zkcm2pafzgdm6kvs48z5f911zl7k49hv7kjq6gm58w99v" {};
+    inherit (adv_cmds) ps locale;
     architecture    = applePackage "architecture"      "265"         "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {};
     bootstrap_cmds  = applePackage "bootstrap_cmds"    "86"          "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {};
+    bsdmake         = applePackage "bsdmake"           "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
     CarbonHeaders   = applePackage "CarbonHeaders"     "9A581"       "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {};
     CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {};
     CommonCrypto    = applePackage "CommonCrypto"      "60049"       "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {};
     configd         = applePackage "configd"           "453.19"      "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {};
     copyfile        = applePackage "copyfile"          "103.92.1"    "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {};
-    CoreOSMakefiles = applePackage "CoreOSMakefiles"   "76"          "0sw3w3sjil0kvxz8y86b81sz82rcd1nijayki1a1bsnsf0hz6qbf" {};
+    CoreOSMakefiles = applePackage "CoreOSMakefiles"   "40"          "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {};
     Csu             = applePackage "Csu"               "79"          "1hif4dz23isgx85sgh11yg8amvp2ksvvhz3y5v07zppml7df2lnh" {};
     dtrace          = applePackage "dtrace"            "118.1"       "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {};
     dyld            = applePackage "dyld"              "239.4"       "07z7lyv6x0f6gllb5hymccl31zisrdhz4gqp722xcs9nhsqaqvn7" {};

pkgs/stdenv/generic/default.nix

@@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , extraBuildInputs ? []
 , __stdenvImpureHostDeps ? []
 , __extraImpureHostDeps ? []
+, __stdenvSandboxProfile ? ""
+, __extraSandboxProfile ? ""
 }:
 
 let
@@ -100,6 +102,8 @@ let
     , outputs ? [ "out" ]
     , __impureHostDeps ? []
     , __propagatedImpureHostDeps ? []
+    , __sandboxProfile ? ""
+    , __propagatedSandboxProfile ? ""
     , ... } @ attrs:
     let
       pos' =
@@ -149,13 +153,14 @@ let
       lib.addPassthru (derivation (
         (removeAttrs attrs
           ["meta" "passthru" "crossAttrs" "pos"
-           "__impureHostDeps" "__propagatedImpureHostDeps"])
+           "__impureHostDeps" "__propagatedImpureHostDeps"
+           "__sandboxProfile" "__propagatedSandboxProfile"])
         // (let
           # TODO: remove lib.unique once nix has a list canonicalization primitive
-          computedImpureHostDeps =
-            lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs));
-          computedPropagatedImpureHostDeps =
-            lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs));
+          computedSandboxProfile =
+            lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)));
+          computedPropagatedSandboxProfile =
+            lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs)));
         in
         {
           builder = attrs.realBuilder or shell;
@@ -173,13 +178,8 @@ let
           propagatedNativeBuildInputs = propagatedNativeBuildInputs ++
             (if crossConfig == null then propagatedBuildInputs else []);
         } // ifDarwin {
-          __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
-            "/dev/zero"
-            "/dev/random"
-            "/dev/urandom"
-            "/bin/sh"
-          ];
-          __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
+          __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile;
+          __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile;
         } // (if outputs' != [ "out" ] then {
           outputs = outputs';
         } else { })))) (
@@ -216,7 +216,7 @@ let
       inherit preHook initialPath shell defaultNativeBuildInputs;
     }
     // ifDarwin {
-      __impureHostDeps = __stdenvImpureHostDeps;
+      __sandboxProfile = __stdenvSandboxProfile;
     })
 
     // rec {

pkgs/stdenv/pure-darwin/default.nix

@@ -5,18 +5,7 @@
 }:
 
 let
-  # libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land
-  libSystemClosure = [
-    "/usr/lib/libSystem.dylib"
-    "/usr/lib/libSystem.B.dylib"
-    "/usr/lib/libobjc.A.dylib"
-    "/usr/lib/libobjc.dylib"
-    "/usr/lib/libauto.dylib"
-    "/usr/lib/libc++abi.dylib"
-    "/usr/lib/libc++.1.dylib"
-    "/usr/lib/libDiagnosticMessagesClient.dylib"
-    "/usr/lib/system"
-  ];
+  libSystemProfile = builtins.readFile ./standard-sandbox.sb;
 
   fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> {
     url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}";
@@ -46,7 +35,9 @@ in rec {
   '';
 
   # The one dependency of /bin/sh :(
-  binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ];
+  binShClosure = ''
+    (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib"))
+  '';
 
   bootstrapTools = derivation rec {
     inherit system tarball;
@@ -57,7 +48,7 @@ in rec {
 
     inherit (bootstrapFiles) mkdir bzip2 cpio;
 
-    __impureHostDeps  = binShClosure ++ libSystemClosure;
+    __sandboxProfile = binShClosure + libSystemProfile;
   };
 
   stageFun = step: last: {shell             ? "${bootstrapTools}/bin/sh",
@@ -100,8 +91,8 @@ in rec {
         };
 
         # The stdenvs themselves don't use mkDerivation, so I need to specify this here
-        __stdenvImpureHostDeps = binShClosure ++ libSystemClosure;
-        __extraImpureHostDeps  = binShClosure ++ libSystemClosure;
+        __stdenvSandboxProfile = binShClosure + libSystemProfile;
+        __extraSandboxProfile  = binShClosure + libSystemProfile;
 
         extraAttrs = { inherit platform; };
         overrides  = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; };
@@ -178,10 +169,14 @@ in rec {
   };
 
   stage2 = with stage1; stageFun 2 stage1 {
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
     allowedRequisites =
       [ bootstrapTools ] ++
       (with pkgs; [ xz libcxx libcxxabi icu ]) ++
-      (with pkgs.darwin; [ dyld Libsystem CF ]);
+      (with pkgs.darwin; [ dyld Libsystem CF locale ]);
 
     overrides = persistent1;
   };
@@ -196,7 +191,7 @@ in rec {
 
     darwin = orig.darwin // {
       inherit (darwin)
-        dyld Libsystem xnu configd libdispatch libclosure launchd libiconv;
+        dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale;
     };
   };
 
@@ -209,10 +204,14 @@ in rec {
     # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first.
     extraInitialPath = [ pkgs.bash ];
 
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
     allowedRequisites =
       [ bootstrapTools ] ++
       (with pkgs; [ icu bash libcxx libcxxabi ]) ++
-      (with pkgs.darwin; [ dyld Libsystem ]);
+      (with pkgs.darwin; [ dyld Libsystem locale ]);
 
     overrides = persistent2;
   };
@@ -230,13 +229,16 @@ in rec {
     };
 
     darwin = orig.darwin // {
-      inherit (darwin) dyld Libsystem libiconv;
+      inherit (darwin) dyld Libsystem libiconv locale;
     };
   };
 
   stage4 = with stage3; stageFun 4 stage3 {
     shell = "${pkgs.bash}/bin/bash";
     extraInitialPath = [ pkgs.bash ];
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
     overrides = persistent3;
   };
 
@@ -263,8 +265,8 @@ in rec {
 
     preHook = commonPreHook;
 
-    __stdenvImpureHostDeps = binShClosure ++ libSystemClosure;
-    __extraImpureHostDeps  = binShClosure ++ libSystemClosure;
+    __stdenvSandboxProfile = binShClosure + libSystemProfile;
+    __extraSandboxProfile  = binShClosure + libSystemProfile;
 
     initialPath = import ../common-path.nix { inherit pkgs; };
     shell       = "${pkgs.bash}/bin/bash";

pkgs/stdenv/pure-darwin/standard-sandbox.sb

@@ -0,0 +1,65 @@
+(define TMPDIR (param "_GLOBAL_TMP_DIR"))
+
+; obvious
+(allow process-fork)
+
+; allow reading system information like #CPUs, etc.
+(allow sysctl-read)
+
+; IPC
+(allow ipc-posix-sem)
+
+; Unix sockets
+(allow system-socket)
+
+; all runtime dependencies of libSystem.dylib
+(allow file-read*
+       (literal "/usr/lib/libSystem.dylib")
+       (literal "/usr/lib/libSystem.B.dylib")
+       (literal "/usr/lib/libobjc.A.dylib")
+       (literal "/usr/lib/libobjc.dylib")
+       (literal "/usr/lib/libauto.dylib")
+       (literal "/usr/lib/libc++abi.dylib")
+       (literal "/usr/lib/libc++.1.dylib")
+       (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
+       (subpath "/usr/lib/system"))
+
+; tmp
+(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
+
+; clang likes to read the system version
+(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
+
+; used for bootstrap builders
+(allow process-exec* (literal "/bin/sh"))
+
+; standard devices
+(allow file*
+       (literal "/dev/null")
+       (literal "/dev/random")
+       (literal "/dev/stdin")
+       (literal "/dev/stdout")
+       (literal "/dev/tty")
+       (literal "/dev/urandom")
+       (literal "/dev/zero")
+       (subpath "/dev/fd"))
+
+; does nothing, but reduces build noise
+(allow file* (literal "/dev/dtracehelper"))
+
+; ICU data and zoneinfo data are hardcoded
+; both are in libicucore and zoneinfo is in libsystem_c as well
+(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo"))
+
+; lots of autoconf projects want to list this directory
+(allow file-read-metadata (literal "/var") (literal "/private/var/tmp"))
+
+; mute annoying failures
+(deny file-read-metadata (with no-log)
+       (literal "/etc")
+       (subpath "/usr/bin"))
+
+(deny process-exec* (with no-log)
+      (literal "/usr/bin/arch")
+      (literal "/usr/bin/hostinfo")
+      (literal "/usr/bin/uname"))

pkgs/top-level/all-packages.nix

@@ -1553,7 +1553,7 @@ let
   garmintools = callPackage ../development/libraries/garmintools {};
 
   gawk = callPackage ../tools/text/gawk {
-    locale = darwin.adv_cmds;
+    inherit (darwin) locale;
   };
 
   gawkInteractive = appendToName "interactive"
@@ -5486,7 +5486,7 @@ let
 
   cmake = callPackage ../development/tools/build-managers/cmake {
     wantPS = stdenv.isDarwin;
-    ps     = if stdenv.isDarwin then darwin.adv_cmds else null;
+    inherit (darwin) ps;
   };
 
   cmakeCurses = cmake.override { useNcurses = true; };