Merge recent staging built on Hydra

http://hydra.nixos.org/eval/1231884
Only Darwin jobs seem to be queued now,
but we can't afford to wait for that single build slave.

3 files changed, 120 insertions, 27 deletions

diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 1a2ca5038b2..8e6bf2be63f 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , extraBuildInputs ? []
 , __stdenvImpureHostDeps ? []
 , __extraImpureHostDeps ? []
+, stdenvSandboxProfile ? ""
+, extraSandboxProfile ? ""
 }:
 
 let
@@ -100,6 +102,8 @@ let
     , outputs ? [ "out" ]
     , __impureHostDeps ? []
     , __propagatedImpureHostDeps ? []
+    , sandboxProfile ? ""
+    , propagatedSandboxProfile ? ""
     , ... } @ attrs:
     let
       pos' =
@@ -165,9 +169,13 @@ let
       lib.addPassthru (derivation (
         (removeAttrs attrs
           ["meta" "passthru" "crossAttrs" "pos"
-           "__impureHostDeps" "__propagatedImpureHostDeps"])
+           "__impureHostDeps" "__propagatedImpureHostDeps"
+           "sandboxProfile" "propagatedSandboxProfile"])
         // (let
-          # TODO: remove lib.unique once nix has a list canonicalization primitive
+          computedSandboxProfile =
+            lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs);
+          computedPropagatedSandboxProfile =
+            lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs);
           computedImpureHostDeps =
             lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs));
           computedPropagatedImpureHostDeps =
@@ -189,6 +197,12 @@ let
           propagatedNativeBuildInputs = propagatedNativeBuildInputs ++
             (if crossConfig == null then propagatedBuildInputs else []);
         } // ifDarwin {
+          # TODO: remove lib.unique once nix has a list canonicalization primitive
+          __sandboxProfile =
+          let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
+              final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
+          in final;
+          __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
           __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
             "/dev/zero"
             "/dev/random"
@@ -232,6 +246,7 @@ let
       inherit preHook initialPath shell defaultNativeBuildInputs;
     }
     // ifDarwin {
+      __sandboxProfile = stdenvSandboxProfile;
       __impureHostDeps = __stdenvImpureHostDeps;
     })
 
diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix
index d13dc98cd74..bc3b433e922 100644
--- a/pkgs/stdenv/pure-darwin/default.nix
+++ b/pkgs/stdenv/pure-darwin/default.nix
@@ -5,18 +5,9 @@
 }:
 
 let
-  # libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land
-  libSystemClosure = [
-    "/usr/lib/libSystem.dylib"
-    "/usr/lib/libSystem.B.dylib"
-    "/usr/lib/libobjc.A.dylib"
-    "/usr/lib/libobjc.dylib"
-    "/usr/lib/libauto.dylib"
-    "/usr/lib/libc++abi.dylib"
-    "/usr/lib/libc++.1.dylib"
-    "/usr/lib/libDiagnosticMessagesClient.dylib"
-    "/usr/lib/system"
-  ];
+  libSystemProfile = ''
+    (import "${./standard-sandbox.sb}")
+  '';
 
   fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> {
     url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}";
@@ -46,7 +37,9 @@ in rec {
   '';
 
   # The one dependency of /bin/sh :(
-  binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ];
+  binShClosure = ''
+    (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib"))
+  '';
 
   bootstrapTools = derivation rec {
     inherit system tarball;
@@ -57,7 +50,7 @@ in rec {
 
     inherit (bootstrapFiles) mkdir bzip2 cpio;
 
-    __impureHostDeps  = binShClosure ++ libSystemClosure;
+    __sandboxProfile = binShClosure + libSystemProfile;
   };
 
   stageFun = step: last: {shell             ? "${bootstrapTools}/bin/sh",
@@ -100,8 +93,8 @@ in rec {
         };
 
         # The stdenvs themselves don't use mkDerivation, so I need to specify this here
-        __stdenvImpureHostDeps = binShClosure ++ libSystemClosure;
-        __extraImpureHostDeps  = binShClosure ++ libSystemClosure;
+        stdenvSandboxProfile = binShClosure + libSystemProfile;
+        extraSandboxProfile  = binShClosure + libSystemProfile;
 
         extraAttrs = { inherit platform; };
         overrides  = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; };
@@ -178,10 +171,14 @@ in rec {
   };
 
   stage2 = with stage1; stageFun 2 stage1 {
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
     allowedRequisites =
       [ bootstrapTools ] ++
       (with pkgs; [ xz libcxx libcxxabi icu ]) ++
-      (with pkgs.darwin; [ dyld Libsystem CF ]);
+      (with pkgs.darwin; [ dyld Libsystem CF locale ]);
 
     overrides = persistent1;
   };
@@ -196,7 +193,7 @@ in rec {
 
     darwin = orig.darwin // {
       inherit (darwin)
-        dyld Libsystem xnu configd libdispatch libclosure launchd libiconv;
+        dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale;
     };
   };
 
@@ -209,10 +206,14 @@ in rec {
     # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first.
     extraInitialPath = [ pkgs.bash ];
 
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
     allowedRequisites =
       [ bootstrapTools ] ++
       (with pkgs; [ icu bash libcxx libcxxabi ]) ++
-      (with pkgs.darwin; [ dyld Libsystem ]);
+      (with pkgs.darwin; [ dyld Libsystem locale ]);
 
     overrides = persistent2;
   };
@@ -230,13 +231,16 @@ in rec {
     };
 
     darwin = orig.darwin // {
-      inherit (darwin) dyld Libsystem libiconv;
+      inherit (darwin) dyld Libsystem libiconv locale;
     };
   };
 
   stage4 = with stage3; stageFun 4 stage3 {
     shell = "${pkgs.bash}/bin/bash";
     extraInitialPath = [ pkgs.bash ];
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
     overrides = persistent3;
   };
 
@@ -251,7 +255,7 @@ in rec {
     };
 
     darwin = orig.darwin // {
-      inherit (darwin) dyld Libsystem cctools CF libiconv;
+      inherit (darwin) dyld Libsystem cctools libiconv;
     };
   };
 
@@ -261,10 +265,12 @@ in rec {
 
     name = "stdenv-darwin";
 
-    preHook = commonPreHook;
+    preHook = commonPreHook + ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
 
-    __stdenvImpureHostDeps = binShClosure ++ libSystemClosure;
-    __extraImpureHostDeps  = binShClosure ++ libSystemClosure;
+    stdenvSandboxProfile = binShClosure + libSystemProfile;
+    extraSandboxProfile  = binShClosure + libSystemProfile;
 
     initialPath = import ../common-path.nix { inherit pkgs; };
     shell       = "${pkgs.bash}/bin/bash";
@@ -292,7 +298,7 @@ in rec {
       coreutils ed diffutils gnutar gzip ncurses gnused bash gawk
       gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext
     ]) ++ (with pkgs.darwin; [
-      dyld Libsystem CF cctools libiconv
+      dyld Libsystem CF cctools libiconv locale
     ]);
 
     overrides = orig: persistent4 orig // {
diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb
new file mode 100644
index 00000000000..b87be89f35f
--- /dev/null
+++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb
@@ -0,0 +1,72 @@
+(define TMPDIR (param "_GLOBAL_TMP_DIR"))
+
+; obvious
+(allow process-fork)
+
+; allow reading system information like #CPUs, etc.
+(allow sysctl-read)
+
+; IPC
+(allow ipc-posix*)
+
+; Unix sockets
+(allow system-socket)
+
+; all runtime dependencies of libSystem.dylib
+(allow file-read*
+       (literal "/usr/lib/libSystem.dylib")
+       (literal "/usr/lib/libSystem.B.dylib")
+       (literal "/usr/lib/libobjc.A.dylib")
+       (literal "/usr/lib/libobjc.dylib")
+       (literal "/usr/lib/libauto.dylib")
+       (literal "/usr/lib/libc++abi.dylib")
+       (literal "/usr/lib/libc++.1.dylib")
+       (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
+       (subpath "/usr/lib/system"))
+
+; tmp
+(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
+
+; clang likes to read the system version
+(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
+
+; used for bootstrap builders
+(allow process-exec* (literal "/bin/sh"))
+
+; without this line clang cannot write to /dev/null, breaking some configure tests
+(allow file-read-metadata (literal "/dev"))
+
+; standard devices
+(allow file*
+       (literal "/dev/null")
+       (literal "/dev/random")
+       (literal "/dev/stdin")
+       (literal "/dev/stdout")
+       (literal "/dev/tty")
+       (literal "/dev/urandom")
+       (literal "/dev/zero")
+       (subpath "/dev/fd"))
+
+; does nothing, but reduces build noise
+(allow file* (literal "/dev/dtracehelper"))
+
+; ICU data and zoneinfo data are hardcoded
+; both are in libicucore and zoneinfo is in libsystem_c as well
+(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo"))
+
+; no idea what this is
+(allow file-read-data (literal "/dev/autofs_nowait"))
+
+; lots of autoconf projects want to list this directory
+(allow file-read-metadata (literal "/var") (literal "/private/var/tmp"))
+
+; send signals
+(allow signal (target same-sandbox))
+
+; allow getpwuid (for git and other packages)
+(allow mach-lookup
+       (global-name "com.apple.system.notification_center")
+       (global-name "com.apple.system.opendirectoryd.libinfo"))
+
+; allow networking on localhost
+(allow network* (local ip) (remote unix-socket))