OS X sandbox: Improve builtin sandbox profile

Also, add rules to allow fixed-output derivations to access the
network.

These rules are sufficient to build stdenvDarwin without any
__sandboxProfile magic.

src/libstore/sandbox-defaults.sb

@@ -1,62 +1,56 @@
-(allow file-read* file-write-data (literal "/dev/null"))
-(allow ipc-posix*)
-(allow mach-lookup (global-name "com.apple.SecurityServer"))
-
-(allow file-read*
-       (literal "/dev/dtracehelper")
-       (literal "/dev/tty")
-       (literal "/dev/autofs_nowait")
-       (literal "/System/Library/CoreServices/SystemVersion.plist")
-       (literal "/private/var/run/systemkeychaincheck.done")
-       (literal "/private/etc/protocols")
-       (literal "/private/var/tmp")
-       (literal "/private/var/db")
-       (subpath "/private/var/db/mds"))
-
-(allow file-read*
-       (subpath "/usr/share/icu")
-       (subpath "/usr/share/locale")
-       (subpath "/usr/share/zoneinfo"))
-
-(allow file-write*
-       (literal "/dev/tty")
-       (literal "/dev/dtracehelper")
-       (literal "/mds"))
-
-(allow file-ioctl (literal "/dev/dtracehelper"))
-
-(allow file-read-metadata
-       (literal "/var")
-       (literal "/tmp")
-       (literal "/etc/resolv.conf")
-       (literal "/private/etc/resolv.conf"))
-
-(allow file-read*
-       (literal "/private/var/run/resolv.conf"))
-
-; some builders use filehandles other than stdin/stdout
-(allow file*
-        (subpath "/dev/fd")
-        (literal "/dev/ptmx")
-        (regex #"^/dev/[pt]ty.*$"))
-
-; allow everything inside TMP
-(allow file* process-exec
-       (subpath (param "_GLOBAL_TMP_DIR"))
-       (subpath "/private/tmp"))
-
-(allow process-fork)
-(allow sysctl-read)
-(allow signal (target same-sandbox))
-
-; allow getpwuid (for git and other packages)
-(allow mach-lookup
-       (global-name "com.apple.system.notification_center")
-       (global-name "com.apple.system.opendirectoryd.libinfo"))
-
-; allow local networking
-(allow network* (local ip) (remote unix-socket))
+(define TMPDIR (param "_GLOBAL_TMP_DIR"))
 
 ; Disallow creating setuid/setgid binaries, since that
 ; would allow breaking build user isolation.
 (deny file-write-setugid)
+
+; Allow forking.
+(allow process-fork)
+
+; Allow reading system information like #CPUs, etc.
+(allow sysctl-read)
+
+; Allow POSIX semaphores and shared memory.
+(allow ipc-posix*)
+
+; Allow socket creation.
+(allow system-socket)
+
+; Allow sending signals within the sandbox.
+(allow signal (target same-sandbox))
+
+; Access to /tmp.
+(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
+
+; Some packages like to read the system version.
+(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
+
+; Without this line clang cannot write to /dev/null, breaking some configure tests.
+(allow file-read-metadata (literal "/dev"))
+
+; Standard devices.
+(allow file*
+       (literal "/dev/null")
+       (literal "/dev/random")
+       (literal "/dev/stdin")
+       (literal "/dev/stdout")
+       (literal "/dev/tty")
+       (literal "/dev/urandom")
+       (literal "/dev/zero")
+       (subpath "/dev/fd"))
+
+; Does nothing, but reduces build noise.
+(allow file* (literal "/dev/dtracehelper"))
+
+; Allow access to zoneinfo since libSystem needs it.
+(allow file-read* (subpath "/usr/share/zoneinfo"))
+
+(allow file-read* (subpath "/usr/share/locale"))
+
+; This is mostly to get more specific log messages when builds try to
+; access something in /etc or /var.
+(allow file-read-metadata
+       (literal "/etc")
+       (literal "/var")
+       (literal "/private/var/tmp")
+       )