diff --git a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix index 0ce9c54e48c..2c7da5be6e4 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix @@ -1,9 +1,9 @@ -{ stdenv, appleDerivation, fetchzip, bootstrap_cmds, bison, flex, gnum4, unifdef, perl }: +{ stdenv, appleDerivation, fetchzip, bootstrap_cmds, bison, flex, gnum4, unifdef, perl, python }: appleDerivation { phases = [ "unpackPhase" "patchPhase" "installPhase" ]; - buildInputs = [ bootstrap_cmds bison flex gnum4 unifdef perl ]; + buildInputs = [ bootstrap_cmds bison flex gnum4 unifdef perl python ]; patchPhase = '' substituteInPlace Makefile \ diff --git a/pkgs/stdenv/darwin/default.nix b/pkgs/stdenv/darwin/default.nix index 36fa474b431..ea1848492cd 100644 --- a/pkgs/stdenv/darwin/default.nix +++ b/pkgs/stdenv/darwin/default.nix @@ -21,9 +21,11 @@ assert crossSystem == null; let inherit (localSystem) system platform; - libSystemProfile = '' - (import "${./standard-sandbox.sb}") - ''; + commonImpureHostDeps = [ + "/bin/sh" + "/usr/lib/libSystem.B.dylib" + "/usr/lib/system/libunc.dylib" # This ependency is "hidden", so our scanning code doesn't pick it up + ]; in rec { commonPreHook = '' export NIX_ENFORCE_PURITY="''${NIX_ENFORCE_PURITY-1}" @@ -37,11 +39,6 @@ in rec { export gl_cv_func_getcwd_abort_bug=no ''; - # The one dependency of /bin/sh :( - binShClosure = '' - (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib")) - ''; - bootstrapTools = derivation rec { inherit system; @@ -53,7 +50,7 @@ in rec { reexportedLibrariesFile = ../../os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries; - __sandboxProfile = binShClosure + libSystemProfile; + __impureHostDeps = commonImpureHostDeps; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/bash", @@ -108,8 +105,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - stdenvSandboxProfile = binShClosure + libSystemProfile; - extraSandboxProfile = binShClosure + libSystemProfile; + __stdenvImpureHostDeps = commonImpureHostDeps; + __extraImpureHostDeps = commonImpureHostDeps; extraAttrs = { inherit platform; @@ -167,7 +164,7 @@ in rec { }; stage1 = prevStage: let - persistent = _: _: {}; + persistent = _: super: { python = super.python.override { configd = null; }; }; in with prevStage; stageFun 1 prevStage { extraPreHook = "export NIX_CFLAGS_COMPILE+=\" -F${bootstrapTools}/Library/Frameworks\""; extraNativeBuildInputs = []; @@ -317,8 +314,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - stdenvSandboxProfile = binShClosure + libSystemProfile; - extraSandboxProfile = binShClosure + libSystemProfile; + __stdenvImpureHostDeps = commonImpureHostDeps; + __extraImpureHostDeps = commonImpureHostDeps; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; @@ -364,6 +361,10 @@ in rec { clang = cc; llvmPackages = persistent'.llvmPackages // { clang = cc; }; inherit cc; + + darwin = super.darwin // { + xnu = super.darwin.xnu.override { python = super.python.override { configd = null; }; }; + }; }; }; diff --git a/pkgs/stdenv/darwin/standard-sandbox.sb b/pkgs/stdenv/darwin/standard-sandbox.sb deleted file mode 100644 index b87be89f35f..00000000000 --- a/pkgs/stdenv/darwin/standard-sandbox.sb +++ /dev/null @@ -1,72 +0,0 @@ -(define TMPDIR (param "_GLOBAL_TMP_DIR")) - -; obvious -(allow process-fork) - -; allow reading system information like #CPUs, etc. -(allow sysctl-read) - -; IPC -(allow ipc-posix*) - -; Unix sockets -(allow system-socket) - -; all runtime dependencies of libSystem.dylib -(allow file-read* - (literal "/usr/lib/libSystem.dylib") - (literal "/usr/lib/libSystem.B.dylib") - (literal "/usr/lib/libobjc.A.dylib") - (literal "/usr/lib/libobjc.dylib") - (literal "/usr/lib/libauto.dylib") - (literal "/usr/lib/libc++abi.dylib") - (literal "/usr/lib/libc++.1.dylib") - (literal "/usr/lib/libDiagnosticMessagesClient.dylib") - (subpath "/usr/lib/system")) - -; tmp -(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) - -; clang likes to read the system version -(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) - -; used for bootstrap builders -(allow process-exec* (literal "/bin/sh")) - -; without this line clang cannot write to /dev/null, breaking some configure tests -(allow file-read-metadata (literal "/dev")) - -; standard devices -(allow file* - (literal "/dev/null") - (literal "/dev/random") - (literal "/dev/stdin") - (literal "/dev/stdout") - (literal "/dev/tty") - (literal "/dev/urandom") - (literal "/dev/zero") - (subpath "/dev/fd")) - -; does nothing, but reduces build noise -(allow file* (literal "/dev/dtracehelper")) - -; ICU data and zoneinfo data are hardcoded -; both are in libicucore and zoneinfo is in libsystem_c as well -(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) - -; no idea what this is -(allow file-read-data (literal "/dev/autofs_nowait")) - -; lots of autoconf projects want to list this directory -(allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) - -; send signals -(allow signal (target same-sandbox)) - -; allow getpwuid (for git and other packages) -(allow mach-lookup - (global-name "com.apple.system.notification_center") - (global-name "com.apple.system.opendirectoryd.libinfo")) - -; allow networking on localhost -(allow network* (local ip) (remote unix-socket))