cherry-pick lib.sandbox into master

lib/default.nix

@@ -17,10 +17,11 @@ let
   systems = import ./systems.nix;
   customisation = import ./customisation.nix;
   licenses = import ./licenses.nix;
+  sandbox = import ./sandbox.nix;
 
 in
   { inherit trivial lists strings stringsWithDeps attrsets sources options
-      modules types meta debug maintainers licenses platforms systems;
+      modules types meta debug maintainers licenses platforms systems sandbox;
   }
   # !!! don't include everything at top-level; perhaps only the most
   # commonly used functions.

lib/sandbox.nix

@@ -0,0 +1,47 @@
+with import ./strings.nix;
+
+/* Helpers for creating lisp S-exprs for the Apple sandbox
+
+lib.sandbox.allowFileRead [ "/usr/bin/file" ];
+  # => "(allow file-read* (literal \"/usr/bin/file\"))";
+
+lib.sandbox.allowFileRead {
+  literal = [ "/usr/bin/file" ];
+  subpath = [ "/usr/lib/system" ];
+}
+  # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
+*/
+
+let
+
+sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
+generateFileList = files:
+  if builtins.isList files
+    then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files
+    else if builtins.isString files
+      then generateFileList [ files ]
+      else concatStringsSep " " (
+        (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
+        (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
+      );
+applyToFiles = f: act: files: f "${act} ${generateFileList files}";
+genActions = actionName: let
+  action = feature: sexp [ actionName feature ];
+  self = {
+    "${actionName}" = action;
+    "${actionName}File" = applyToFiles action "file*";
+    "${actionName}FileRead" = applyToFiles action "file-read*";
+    "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
+    "${actionName}DirectoryList" = self."${actionName}FileReadMetadata";
+    "${actionName}FileWrite" = applyToFiles action "file-write*";
+    "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
+  };
+  in self;
+
+in
+
+genActions "allow" // genActions "deny" // {
+  importProfile = derivation: ''
+    (import "${derivation}")
+  '';
+}