diff options
Diffstat (limited to 'pkgs/stdenv/darwin')
-rw-r--r-- | pkgs/stdenv/darwin/default.nix | 309 | ||||
-rw-r--r-- | pkgs/stdenv/darwin/make-bootstrap-tools.nix | 286 | ||||
-rw-r--r-- | pkgs/stdenv/darwin/standard-sandbox.sb | 72 | ||||
-rw-r--r-- | pkgs/stdenv/darwin/unpack-bootstrap-tools.sh | 54 |
4 files changed, 721 insertions, 0 deletions
diff --git a/pkgs/stdenv/darwin/default.nix b/pkgs/stdenv/darwin/default.nix new file mode 100644 index 00000000000..bc3b433e922 --- /dev/null +++ b/pkgs/stdenv/darwin/default.nix @@ -0,0 +1,309 @@ +{ system ? builtins.currentSystem +, allPackages ? import ../../top-level/all-packages.nix +, platform ? null +, config ? {} +}: + +let + libSystemProfile = '' + (import "${./standard-sandbox.sb}") + ''; + + fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> { + url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; + inherit sha256 system executable; + }; + + bootstrapFiles = { + sh = fetch { file = "sh"; sha256 = "1siix3wakzil31r2cydmh3v8a1nyq4605dwiabqc5lx73j4xzrzi"; }; + bzip2 = fetch { file = "bzip2"; sha256 = "0zvqm977k11b5cl4ixxb5h0ds24g6z0f8m28z4pqxzpa353lqbla"; }; + mkdir = fetch { file = "mkdir"; sha256 = "13frk8lsfgzlb65p9l26cvxf06aag43yjk7vg9msn7ix3v8cmrg1"; }; + cpio = fetch { file = "cpio"; sha256 = "0ms5i9m1vdksj575sf1djwgm7zhnvfrrb44dxnfh9avr793rc2w4"; }; + }; + + tarball = fetch { file = "bootstrap-tools.cpio.bz2"; sha256 = "1lz1b0grl4642h6n635xvi6imf0yyy1zyzdr9ing5aphzz0z5iic"; executable = false; }; +in rec { + allPackages = import ../../top-level/all-packages.nix; + + commonPreHook = '' + export NIX_ENFORCE_PURITY=1 + export NIX_IGNORE_LD_THROUGH_GCC=1 + stripAllFlags=" " # the Darwin "strip" command doesn't know "-s" + export MACOSX_DEPLOYMENT_TARGET=10.7 + export SDKROOT= + export CMAKE_OSX_ARCHITECTURES=x86_64 + # Workaround for https://openradar.appspot.com/22671534 on 10.11. + export gl_cv_func_getcwd_abort_bug=no + ''; + + # The one dependency of /bin/sh :( + binShClosure = '' + (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib")) + ''; + + bootstrapTools = derivation rec { + inherit system tarball; + + name = "bootstrap-tools"; + builder = bootstrapFiles.sh; # Not a filename! Attribute 'sh' on bootstrapFiles + args = [ ./unpack-bootstrap-tools.sh ]; + + inherit (bootstrapFiles) mkdir bzip2 cpio; + + __sandboxProfile = binShClosure + libSystemProfile; + }; + + stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", + overrides ? (pkgs: {}), + extraPreHook ? "", + extraBuildInputs ? with last.pkgs; [ xz darwin.CF libcxx ], + extraInitialPath ? [], + allowedRequisites ? null}: + let + thisStdenv = import ../generic { + inherit system config shell extraBuildInputs allowedRequisites; + + name = "stdenv-darwin-boot-${toString step}"; + + cc = if isNull last then "/dev/null" else import ../../build-support/cc-wrapper { + inherit shell; + inherit (last) stdenv; + inherit (last.pkgs.darwin) dyld; + + nativeTools = true; + nativePrefix = bootstrapTools; + nativeLibc = false; + libc = last.pkgs.darwin.Libsystem; + isClang = true; + cc = { name = "clang-9.9.9"; outPath = bootstrapTools; }; + }; + + preHook = stage0.stdenv.lib.optionalString (shell == "${bootstrapTools}/bin/sh") '' + # Don't patch #!/interpreter because it leads to retained + # dependencies on the bootstrapTools in the final stdenv. + dontPatchShebangs=1 + '' + '' + ${commonPreHook} + ${extraPreHook} + ''; + initialPath = extraInitialPath ++ [ bootstrapTools ]; + fetchurlBoot = import ../../build-support/fetchurl { + stdenv = stage0.stdenv; + curl = bootstrapTools; + }; + + # The stdenvs themselves don't use mkDerivation, so I need to specify this here + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; + + extraAttrs = { inherit platform; }; + overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; + }; + + thisPkgs = allPackages { + inherit system platform; + bootStdenv = thisStdenv; + }; + in { stdenv = thisStdenv; pkgs = thisPkgs; }; + + stage0 = stageFun 0 null { + overrides = orig: with stage0; rec { + darwin = orig.darwin // { + Libsystem = stdenv.mkDerivation { + name = "bootstrap-Libsystem"; + buildCommand = '' + mkdir -p $out + ln -s ${bootstrapTools}/lib $out/lib + ln -s ${bootstrapTools}/include-Libsystem $out/include + ''; + }; + dyld = bootstrapTools; + }; + + libcxx = stdenv.mkDerivation { + name = "bootstrap-libcxx"; + phases = [ "installPhase" "fixupPhase" ]; + installPhase = '' + mkdir -p $out/lib $out/include + ln -s ${bootstrapTools}/lib/libc++.dylib $out/lib/libc++.dylib + ln -s ${bootstrapTools}/include/c++ $out/include/c++ + ''; + linkCxxAbi = false; + setupHook = ../../development/compilers/llvm/3.6/libc++/setup-hook.sh; + }; + + libcxxabi = stdenv.mkDerivation { + name = "bootstrap-libcxxabi"; + buildCommand = '' + mkdir -p $out/lib + ln -s ${bootstrapTools}/lib/libc++abi.dylib $out/lib/libc++abi.dylib + ''; + }; + + }; + + extraBuildInputs = []; + }; + + persistent0 = _: {}; + + stage1 = with stage0; stageFun 1 stage0 { + extraPreHook = "export NIX_CFLAGS_COMPILE+=\" -F${bootstrapTools}/Library/Frameworks\""; + extraBuildInputs = [ pkgs.libcxx ]; + + allowedRequisites = + [ bootstrapTools ] ++ (with pkgs; [ libcxx libcxxabi ]) ++ [ pkgs.darwin.Libsystem ]; + + overrides = persistent0; + }; + + persistent1 = orig: with stage1.pkgs; { + inherit + zlib patchutils m4 scons flex perl bison unifdef unzip openssl icu python + libxml2 gettext sharutils gmp libarchive ncurses pkg-config libedit groff + openssh sqlite sed serf openldap db cyrus-sasl expat apr-util subversion xz + findfreetype libssh curl cmake autoconf automake libtool ed cpio coreutils; + + darwin = orig.darwin // { + inherit (darwin) + dyld Libsystem xnu configd libdispatch libclosure launchd; + }; + }; + + stage2 = with stage1; stageFun 2 stage1 { + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + + allowedRequisites = + [ bootstrapTools ] ++ + (with pkgs; [ xz libcxx libcxxabi icu ]) ++ + (with pkgs.darwin; [ dyld Libsystem CF locale ]); + + overrides = persistent1; + }; + + persistent2 = orig: with stage2.pkgs; { + inherit + patchutils m4 scons flex perl bison unifdef unzip openssl python + gettext sharutils libarchive pkg-config groff bash subversion + openssh sqlite sed serf openldap db cyrus-sasl expat apr-util + findfreetype libssh curl cmake autoconf automake libtool cpio + libcxx libcxxabi; + + darwin = orig.darwin // { + inherit (darwin) + dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale; + }; + }; + + stage3 = with stage2; stageFun 3 stage2 { + shell = "${pkgs.bash}/bin/bash"; + + # We have a valid shell here (this one has no bootstrap-tools runtime deps) so stageFun + # enables patchShebangs above. Unfortunately, patchShebangs ignores our $SHELL setting + # and instead goes by $PATH, which happens to contain bootstrapTools. So it goes and + # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first. + extraInitialPath = [ pkgs.bash ]; + + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + + allowedRequisites = + [ bootstrapTools ] ++ + (with pkgs; [ icu bash libcxx libcxxabi ]) ++ + (with pkgs.darwin; [ dyld Libsystem locale ]); + + overrides = persistent2; + }; + + persistent3 = orig: with stage3.pkgs; { + inherit + gnumake gzip gnused bzip2 gawk ed xz patch bash + libcxxabi libcxx ncurses libffi zlib gmp pcre gnugrep + coreutils findutils diffutils patchutils; + + llvmPackages = let llvmOverride = llvmPackages.llvm.override { inherit libcxxabi; }; + in orig.llvmPackages // { + llvm = llvmOverride; + clang-unwrapped = llvmPackages.clang-unwrapped.override { llvm = llvmOverride; }; + }; + + darwin = orig.darwin // { + inherit (darwin) dyld Libsystem libiconv locale; + }; + }; + + stage4 = with stage3; stageFun 4 stage3 { + shell = "${pkgs.bash}/bin/bash"; + extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + overrides = persistent3; + }; + + persistent4 = orig: with stage4.pkgs; { + inherit + gnumake gzip gnused bzip2 gawk ed xz patch bash + libcxxabi libcxx ncurses libffi zlib icu llvm gmp pcre gnugrep + coreutils findutils diffutils patchutils binutils binutils-raw; + + llvmPackages = orig.llvmPackages // { + inherit (llvmPackages) llvm clang-unwrapped; + }; + + darwin = orig.darwin // { + inherit (darwin) dyld Libsystem cctools libiconv; + }; + }; + + stage5 = with stage4; import ../generic rec { + inherit system config; + inherit (stdenv) fetchurlBoot; + + name = "stdenv-darwin"; + + preHook = commonPreHook + '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; + + initialPath = import ../common-path.nix { inherit pkgs; }; + shell = "${pkgs.bash}/bin/bash"; + + cc = import ../../build-support/cc-wrapper { + inherit stdenv shell; + nativeTools = false; + nativeLibc = false; + inherit (pkgs) coreutils binutils; + inherit (pkgs.darwin) dyld; + cc = pkgs.llvmPackages.clang-unwrapped; + libc = pkgs.darwin.Libsystem; + }; + + extraBuildInputs = with pkgs; [ darwin.CF libcxx ]; + + extraAttrs = { + inherit platform bootstrapTools; + libc = pkgs.darwin.Libsystem; + shellPackage = pkgs.bash; + }; + + allowedRequisites = (with pkgs; [ + xz libcxx libcxxabi icu gmp gnumake findutils bzip2 llvm zlib libffi + coreutils ed diffutils gnutar gzip ncurses gnused bash gawk + gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext + ]) ++ (with pkgs.darwin; [ + dyld Libsystem CF cctools libiconv locale + ]); + + overrides = orig: persistent4 orig // { + clang = cc; + inherit cc; + }; + }; +} diff --git a/pkgs/stdenv/darwin/make-bootstrap-tools.nix b/pkgs/stdenv/darwin/make-bootstrap-tools.nix new file mode 100644 index 00000000000..961adbeaaad --- /dev/null +++ b/pkgs/stdenv/darwin/make-bootstrap-tools.nix @@ -0,0 +1,286 @@ +with import ../../top-level/all-packages.nix { system = "x86_64-darwin"; }; + +rec { + # We want coreutils without ACL support. + coreutils_ = coreutils.override (orig: { + aclSupport = false; + }); + + build = stdenv.mkDerivation { + name = "stdenv-bootstrap-tools"; + + buildInputs = [nukeReferences cpio]; + + buildCommand = '' + mkdir -p $out/bin $out/lib + + # Our (fake) loader + cp -d ${darwin.dyld}/lib/dyld $out/lib/ + + # C standard library stuff + cp -d ${darwin.Libsystem}/lib/*.o $out/lib/ + cp -d ${darwin.Libsystem}/lib/*.dylib $out/lib/ + cp -d ${darwin.Libsystem}/lib/system/*.dylib $out/lib/ + + # Resolv is actually a link to another package, so let's copy it properly + rm $out/lib/libresolv.9.dylib + cp -L ${darwin.Libsystem}/lib/libresolv.9.dylib $out/lib + + cp -rL ${darwin.Libsystem}/include $out + chmod -R u+w $out/include + cp -rL ${icu}/include* $out/include + cp -rL ${libiconv}/include/* $out/include + cp -rL ${gnugrep.pcre}/include/* $out/include + mv $out/include $out/include-Libsystem + + # Copy coreutils, bash, etc. + cp ${coreutils_}/bin/* $out/bin + (cd $out/bin && rm vdir dir sha*sum pinky factor pathchk runcon shuf who whoami shred users) + + cp ${bash}/bin/bash $out/bin + cp ${findutils}/bin/find $out/bin + cp ${findutils}/bin/xargs $out/bin + cp -d ${diffutils}/bin/* $out/bin + cp -d ${gnused}/bin/* $out/bin + cp -d ${gnugrep}/bin/grep $out/bin + cp ${gawk}/bin/gawk $out/bin + cp -d ${gawk}/bin/awk $out/bin + cp ${gnutar}/bin/tar $out/bin + cp ${gzip}/bin/gzip $out/bin + cp ${bzip2}/bin/bzip2 $out/bin + cp -d ${gnumake}/bin/* $out/bin + cp -d ${patch}/bin/* $out/bin + cp -d ${xz}/bin/xz $out/bin + + # This used to be in-nixpkgs, but now is in the bundle + # because I can't be bothered to make it partially static + cp ${curl}/bin/curl $out/bin + cp -d ${curl}/lib/libcurl*.dylib $out/lib + cp -d ${libssh2}/lib/libssh*.dylib $out/lib + cp -d ${openssl}/lib/*.dylib $out/lib + + cp -d ${gnugrep.pcre}/lib/libpcre*.dylib $out/lib + cp -d ${libiconv}/lib/lib*.dylib $out/lib + cp -d ${gettext}/lib/libintl*.dylib $out/lib + chmod +x $out/lib/libintl*.dylib + cp -d ${ncurses}/lib/libncurses*.dylib $out/lib + + # Copy what we need of clang + cp -d ${llvmPackages.clang-unwrapped}/bin/clang $out/bin + cp -d ${llvmPackages.clang-unwrapped}/bin/clang++ $out/bin + cp -d ${llvmPackages.clang-unwrapped}/bin/clang-[0-9].[0-9] $out/bin + + cp -rL ${llvmPackages.clang-unwrapped}/lib/clang $out/lib + + cp -d ${libcxx}/lib/libc++*.dylib $out/lib + cp -d ${libcxxabi}/lib/libc++abi*.dylib $out/lib + + mkdir $out/include + cp -rd ${libcxx}/include/c++ $out/include + + cp -d ${icu}/lib/libicu*.dylib $out/lib + cp -d ${zlib}/lib/libz.* $out/lib + cp -d ${gmpxx}/lib/libgmp*.* $out/lib + cp -d ${xz}/lib/liblzma*.* $out/lib + + # Copy binutils. + for i in as ld ar ranlib nm strip otool install_name_tool dsymutil; do + cp ${darwin.cctools}/bin/$i $out/bin + done + + cp -rd ${pkgs.darwin.CF}/Library $out + + chmod -R u+w $out + + nuke-refs $out/bin/* + + rpathify() { + local libs=$(${darwin.cctools}/bin/otool -L "$1" | tail -n +2 | grep -o "$NIX_STORE.*-\S*") || true + for lib in $libs; do + ${darwin.cctools}/bin/install_name_tool -change $lib "@rpath/$(basename $lib)" "$1" + done + } + + fix_dyld() { + # This is clearly a hack. Once we have an install_name_tool-alike that can patch dyld, this will be nicer. + ${perl}/bin/perl -i -0777 -pe 's/\/nix\/store\/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-dyld-239\.4\/lib\/dyld/\/usr\/lib\/dyld\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/sg' "$1" + } + + # Strip executables even further + for i in $out/bin/*; do + if test -x $i -a ! -L $i; then + chmod +w $i + + fix_dyld $i + strip $i || true + fi + done + + for i in $out/bin/* $out/lib/*.dylib $out/lib/clang/*/lib/darwin/*.dylib $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation; do + if test -x $i -a ! -L $i; then + echo "Adding rpath to $i" + rpathify $i + fi + done + + nuke-refs $out/lib/* + nuke-refs $out/lib/clang/*/lib/darwin/* + nuke-refs $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation + + set -x + mkdir $out/.pack + mv $out/* $out/.pack + mv $out/.pack $out/pack + + mkdir $out/on-server + cp ${stdenv.shell} $out/on-server/sh + cp ${cpio}/bin/cpio $out/on-server + cp ${coreutils_}/bin/mkdir $out/on-server + cp ${bzip2}/bin/bzip2 $out/on-server + + chmod u+w $out/on-server/* + strip $out/on-server/* + nuke-refs $out/on-server/* + + for i in $out/on-server/*; do + fix_dyld $i + done + + (cd $out/pack && (find | cpio -o -H newc)) | bzip2 > $out/on-server/bootstrap-tools.cpio.bz2 + ''; + + allowedReferences = []; + + meta = { + maintainers = [ stdenv.lib.maintainers.copumpkin ]; + }; + }; + + dist = stdenv.mkDerivation { + name = "stdenv-bootstrap-tools"; + + buildCommand = '' + mkdir -p $out/nix-support + echo "file tarball ${build}/on-server/bootstrap-tools.cpio.bz2" >> $out/nix-support/hydra-build-products + echo "file sh ${build}/on-server/sh" >> $out/nix-support/hydra-build-products + echo "file cpio ${build}/on-server/cpio" >> $out/nix-support/hydra-build-products + echo "file mkdir ${build}/on-server/mkdir" >> $out/nix-support/hydra-build-products + echo "file bzip2 ${build}/on-server/bzip2" >> $out/nix-support/hydra-build-products + ''; + }; + + unpack = stdenv.mkDerivation { + name = "unpack"; + + # This is by necessity a near-duplicate of unpack-bootstrap-tools.sh. If we refer to it directly, + # we can't make any changes to it due to our testing stdenv depending on it. Think of this as the + # unpack-bootstrap-tools.sh for the next round of bootstrap tools. + # TODO: think through alternate designs, such as hosting this script as an output of the process. + buildCommand = '' + # Unpack the bootstrap tools tarball. + echo Unpacking the bootstrap tools... + $mkdir $out + $bzip2 -d < $tarball | (cd $out && $cpio -i) + + # Set the ELF interpreter / RPATH in the bootstrap binaries. + echo Patching the tools... + + export PATH=$out/bin + + for i in $out/bin/*; do + if ! test -L $i; then + echo patching $i + install_name_tool -add_rpath $out/lib $i || true + fi + done + + for i in $out/lib/*.dylib $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation; do + if ! test -L $i; then + echo patching $i + + id=$(otool -D "$i" | tail -n 1) + install_name_tool -id "$(dirname $i)/$(basename $id)" $i + + libs=$(otool -L "$i" | tail -n +2 | grep -v Libsystem | cat) + if [ -n "$libs" ]; then + install_name_tool -add_rpath $out/lib $i + fi + fi + done + + ln -s bash $out/bin/sh + ln -s bzip2 $out/bin/bunzip2 + + cat >$out/bin/dsymutil << EOF + #!$out/bin/sh + EOF + ''; + + tarball = "${build}/on-server/bootstrap-tools.cpio.bz2"; + + mkdir = "${build}/on-server/mkdir"; + bzip2 = "${build}/on-server/bzip2"; + cpio = "${build}/on-server/cpio"; + + allowedReferences = [ "out" ]; + }; + + test = stdenv.mkDerivation { + name = "test"; + + realBuilder = "${unpack}/bin/bash"; + + buildCommand = '' + export PATH=${unpack}/bin + ls -l + mkdir $out + mkdir $out/bin + sed --version + find --version + diff --version + patch --version + make --version + awk --version + grep --version + clang --version + xz --version + + # The grep will return a nonzero exit code if there is no match, and we want to assert that we have + # an SSL-capable curl + curl --version | grep SSL + + ${build}/on-server/sh -c 'echo Hello World' + + export flags="-idirafter ${unpack}/include-Libsystem --sysroot=${unpack} -L${unpack}/lib" + + export CPP="clang -E $flags" + export CC="clang $flags -Wl,-rpath,${unpack}/lib -Wl,-v" + export CXX="clang++ $flags --stdlib=libc++ -lc++abi -isystem${unpack}/include/c++/v1 -Wl,-rpath,${unpack}/lib -Wl,-v" + + echo '#include <stdio.h>' >> foo.c + echo '#include <float.h>' >> foo.c + echo '#include <limits.h>' >> foo.c + echo 'int main() { printf("Hello World\n"); return 0; }' >> foo.c + $CC -o $out/bin/foo foo.c + $out/bin/foo + + echo '#include <CoreFoundation/CoreFoundation.h>' >> bar.c + echo 'int main() { CFShow(CFSTR("Hullo")); return 0; }' >> bar.c + $CC -F${unpack}/Library/Frameworks -framework CoreFoundation -o $out/bin/bar bar.c + $out/bin/bar + + echo '#include <iostream>' >> bar.cc + echo 'int main() { std::cout << "Hello World\n"; }' >> bar.cc + $CXX -v -o $out/bin/bar bar.cc + $out/bin/bar + + tar xvf ${hello.src} + cd hello-* + ./configure --prefix=$out + make + make install + + $out/bin/hello + ''; + }; +} diff --git a/pkgs/stdenv/darwin/standard-sandbox.sb b/pkgs/stdenv/darwin/standard-sandbox.sb new file mode 100644 index 00000000000..b87be89f35f --- /dev/null +++ b/pkgs/stdenv/darwin/standard-sandbox.sb @@ -0,0 +1,72 @@ +(define TMPDIR (param "_GLOBAL_TMP_DIR")) + +; obvious +(allow process-fork) + +; allow reading system information like #CPUs, etc. +(allow sysctl-read) + +; IPC +(allow ipc-posix*) + +; Unix sockets +(allow system-socket) + +; all runtime dependencies of libSystem.dylib +(allow file-read* + (literal "/usr/lib/libSystem.dylib") + (literal "/usr/lib/libSystem.B.dylib") + (literal "/usr/lib/libobjc.A.dylib") + (literal "/usr/lib/libobjc.dylib") + (literal "/usr/lib/libauto.dylib") + (literal "/usr/lib/libc++abi.dylib") + (literal "/usr/lib/libc++.1.dylib") + (literal "/usr/lib/libDiagnosticMessagesClient.dylib") + (subpath "/usr/lib/system")) + +; tmp +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) + +; clang likes to read the system version +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) + +; used for bootstrap builders +(allow process-exec* (literal "/bin/sh")) + +; without this line clang cannot write to /dev/null, breaking some configure tests +(allow file-read-metadata (literal "/dev")) + +; standard devices +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) + +; does nothing, but reduces build noise +(allow file* (literal "/dev/dtracehelper")) + +; ICU data and zoneinfo data are hardcoded +; both are in libicucore and zoneinfo is in libsystem_c as well +(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) + +; no idea what this is +(allow file-read-data (literal "/dev/autofs_nowait")) + +; lots of autoconf projects want to list this directory +(allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) + +; send signals +(allow signal (target same-sandbox)) + +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + +; allow networking on localhost +(allow network* (local ip) (remote unix-socket)) diff --git a/pkgs/stdenv/darwin/unpack-bootstrap-tools.sh b/pkgs/stdenv/darwin/unpack-bootstrap-tools.sh new file mode 100644 index 00000000000..8033c7004d9 --- /dev/null +++ b/pkgs/stdenv/darwin/unpack-bootstrap-tools.sh @@ -0,0 +1,54 @@ +set -e + +# Unpack the bootstrap tools tarball. +echo Unpacking the bootstrap tools... +$mkdir $out +$bzip2 -d < $tarball | (cd $out && $cpio -i) + +# Set the ELF interpreter / RPATH in the bootstrap binaries. +echo Patching the tools... + +export PATH=$out/bin + +for i in $out/bin/*; do + if ! test -L $i; then + echo patching $i + install_name_tool -add_rpath $out/lib $i || true + fi +done + +for i in $out/lib/*.dylib $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation; do + if ! test -L $i; then + echo patching $i + + id=$(otool -D "$i" | tail -n 1) + install_name_tool -id "$(dirname $i)/$(basename $id)" $i + + libs=$(otool -L "$i" | tail -n +2 | grep -v libSystem | cat) + if [ -n "$libs" ]; then + install_name_tool -add_rpath $out/lib $i + fi + fi +done + +ln -s bash $out/bin/sh +ln -s bzip2 $out/bin/bunzip2 + +# Provide a gunzip script. +cat > $out/bin/gunzip <<EOF +#!$out/bin/sh +exec $out/bin/gzip -d "\$@" +EOF +chmod +x $out/bin/gunzip + +# Provide fgrep/egrep. +echo "#! $out/bin/sh" > $out/bin/egrep +echo "exec $out/bin/grep -E \"\$@\"" >> $out/bin/egrep +echo "#! $out/bin/sh" > $out/bin/fgrep +echo "exec $out/bin/grep -F \"\$@\"" >> $out/bin/fgrep + +cat >$out/bin/dsymutil << EOF +#!$out/bin/sh +EOF + +chmod +x $out/bin/egrep $out/bin/fgrep $out/bin/dsymutil |