OS X sandbox: Improve builtin sandbox profile

Also, add rules to allow fixed-output derivations to access the
network.

These rules are sufficient to build stdenvDarwin without any
__sandboxProfile magic.

.gitignore

@@ -50,6 +50,7 @@ perl/Makefile.config
 # /src/libstore/
 /src/libstore/schema.sql.gen.hh
 /src/libstore/sandbox-defaults.sb.gen.hh
+/src/libstore/sandbox-network.sb.gen.hh
 
 /src/nix/nix
 

src/libstore/build.cc

@@ -2614,8 +2614,9 @@ void DerivationGoal::runChild()
         string sandboxProfile;
         if (drv->isBuiltin()) {
             ;
+        }
 #if __APPLE__
-        } else if (useChroot) {
+        else if (useChroot) {
             /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
             PathSet ancestry;
 
@@ -2653,9 +2654,14 @@ void DerivationGoal::runChild()
             }
 
             sandboxProfile +=
-#include "sandbox-defaults.sb.gen.hh"
+                #include "sandbox-defaults.sb.gen.hh"
                 ;
 
+            if (fixedOutput)
+                sandboxProfile +=
+                    #include "sandbox-network.sb.gen.hh"
+                    ;
+
             /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
                to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
             Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
@@ -2718,8 +2724,9 @@ void DerivationGoal::runChild()
             args.push_back("-D");
             args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
             args.push_back(drv->builder);
+        }
 #endif
-        } else {
+        else {
             builder = drv->builder.c_str();
             string builderBasename = baseNameOf(drv->builder);
             args.push_back(builderBasename);

src/libstore/local.mk

@@ -36,14 +36,14 @@ libstore_CXXFLAGS = \
 
 $(d)/local-store.cc: $(d)/schema.sql.gen.hh
 
-$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh
+$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh
 
 %.gen.hh: %
-	echo 'R"foo(' >> $@.tmp
-	cat $< >> $@.tmp
-	echo ')foo"' >> $@.tmp
-	mv $@.tmp $@
+	@echo 'R"foo(' >> $@.tmp
+	$(trace-gen) cat $< >> $@.tmp
+	@echo ')foo"' >> $@.tmp
+	@mv $@.tmp $@
 
-clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh
+clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh
 
 $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))

src/libstore/sandbox-defaults.sb

@@ -1,62 +1,56 @@
-(allow file-read* file-write-data (literal "/dev/null"))
-(allow ipc-posix*)
-(allow mach-lookup (global-name "com.apple.SecurityServer"))
-
-(allow file-read*
-       (literal "/dev/dtracehelper")
-       (literal "/dev/tty")
-       (literal "/dev/autofs_nowait")
-       (literal "/System/Library/CoreServices/SystemVersion.plist")
-       (literal "/private/var/run/systemkeychaincheck.done")
-       (literal "/private/etc/protocols")
-       (literal "/private/var/tmp")
-       (literal "/private/var/db")
-       (subpath "/private/var/db/mds"))
-
-(allow file-read*
-       (subpath "/usr/share/icu")
-       (subpath "/usr/share/locale")
-       (subpath "/usr/share/zoneinfo"))
-
-(allow file-write*
-       (literal "/dev/tty")
-       (literal "/dev/dtracehelper")
-       (literal "/mds"))
-
-(allow file-ioctl (literal "/dev/dtracehelper"))
-
-(allow file-read-metadata
-       (literal "/var")
-       (literal "/tmp")
-       (literal "/etc/resolv.conf")
-       (literal "/private/etc/resolv.conf"))
-
-(allow file-read*
-       (literal "/private/var/run/resolv.conf"))
-
-; some builders use filehandles other than stdin/stdout
-(allow file*
-        (subpath "/dev/fd")
-        (literal "/dev/ptmx")
-        (regex #"^/dev/[pt]ty.*$"))
-
-; allow everything inside TMP
-(allow file* process-exec
-       (subpath (param "_GLOBAL_TMP_DIR"))
-       (subpath "/private/tmp"))
-
-(allow process-fork)
-(allow sysctl-read)
-(allow signal (target same-sandbox))
-
-; allow getpwuid (for git and other packages)
-(allow mach-lookup
-       (global-name "com.apple.system.notification_center")
-       (global-name "com.apple.system.opendirectoryd.libinfo"))
-
-; allow local networking
-(allow network* (local ip) (remote unix-socket))
+(define TMPDIR (param "_GLOBAL_TMP_DIR"))
 
 ; Disallow creating setuid/setgid binaries, since that
 ; would allow breaking build user isolation.
 (deny file-write-setugid)
+
+; Allow forking.
+(allow process-fork)
+
+; Allow reading system information like #CPUs, etc.
+(allow sysctl-read)
+
+; Allow POSIX semaphores and shared memory.
+(allow ipc-posix*)
+
+; Allow socket creation.
+(allow system-socket)
+
+; Allow sending signals within the sandbox.
+(allow signal (target same-sandbox))
+
+; Access to /tmp.
+(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
+
+; Some packages like to read the system version.
+(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
+
+; Without this line clang cannot write to /dev/null, breaking some configure tests.
+(allow file-read-metadata (literal "/dev"))
+
+; Standard devices.
+(allow file*
+       (literal "/dev/null")
+       (literal "/dev/random")
+       (literal "/dev/stdin")
+       (literal "/dev/stdout")
+       (literal "/dev/tty")
+       (literal "/dev/urandom")
+       (literal "/dev/zero")
+       (subpath "/dev/fd"))
+
+; Does nothing, but reduces build noise.
+(allow file* (literal "/dev/dtracehelper"))
+
+; Allow access to zoneinfo since libSystem needs it.
+(allow file-read* (subpath "/usr/share/zoneinfo"))
+
+(allow file-read* (subpath "/usr/share/locale"))
+
+; This is mostly to get more specific log messages when builds try to
+; access something in /etc or /var.
+(allow file-read-metadata
+       (literal "/etc")
+       (literal "/var")
+       (literal "/private/var/tmp")
+       )

src/libstore/sandbox-network.sb

@@ -0,0 +1,16 @@
+; Allow local and remote network traffic.
+(allow network* (local ip) (remote ip))
+
+; Allow access to /etc/resolv.conf (which is a symlink to
+; /private/var/run/resolv.conf).
+(allow file-read-metadata
+       (literal "/var")
+       (literal "/etc")
+       (literal "/etc/resolv.conf")
+       (literal "/private/etc/resolv.conf"))
+
+(allow file-read*
+       (literal "/private/var/run/resolv.conf"))
+
+; Allow DNS lookups.
+(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))