use per-derivation sandbox profiles

6 files changed, 54 insertions, 14 deletions

diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix
index 55c8279340b7..0eac8fcae398 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }:
+{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }:
 
 # this project uses blocks, a clang-only extension
 assert stdenv.cc.isClang;
@@ -8,13 +8,7 @@ appleDerivation {
 
   patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ];
 
-  __propagatedImpureHostDeps = [
-    "/System/Library/Frameworks/CoreFoundation.framework"
-    "/usr/lib/libc++.1.dylib"
-    "/usr/lib/libc++abi.dylib"
-    "/usr/lib/libicucore.A.dylib"
-    "/usr/lib/libz.1.dylib"
-  ];
+  __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation");
 
   preBuild = ''
     substituteInPlace Makefile \
@@ -52,5 +46,7 @@ appleDerivation {
   postInstall = ''
     mv $out/System/* $out
     rmdir $out/System
+    mv $out/Library/Frameworks/CoreFoundation.framework/Versions/A/PrivateHeaders/* \
+       $out/Library/Frameworks/CoreFoundation.framework/Versions/A/Headers
   '';
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
index baeca0f6fe3b..d465fa71ff02 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
@@ -1,13 +1,22 @@
 { stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin
 }:
 
+# this derivation sucks
+# locale data was removed after adv_cmds-118, so our base is that because it's easier than
+# replicating the bizarre bsdmake file structure
+#
+# sadly adv_cmds-118 builds a mklocale and colldef that generate files that our libc can no
+# longer understand
+#
+# the more recent adv_cmds release is used for everything else in this package
+
 let recentAdvCmds = fetchzip {
   url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz";
   sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn";
 };
 
 in appleDerivation {
-  buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ];
+  buildInputs = [ bsdmake perl yacc flex ];
 
   patchPhase = ''
     substituteInPlace BSDMakefile \
@@ -19,8 +28,6 @@ in appleDerivation {
 
     substituteInPlace Makefile --replace perl true
 
-    substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl"
-
     for subproject in colldef mklocale monetdef msgdef numericdef timedef; do
       substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \
         --replace /usr/share/locale "" \
@@ -29,9 +36,28 @@ in appleDerivation {
     done
   '';
 
+  preBuild = ''
+    cp -r --no-preserve=all ${recentAdvCmds}/colldef .
+    pushd colldef
+    mv locale/collate.h .
+    flex -t -8 -i scan.l > scan.c
+    yacc -d parse.y
+    clang *.c -o colldef -lfl
+    popd
+    mv colldef/colldef colldef.tproj/colldef
+
+    cp -r --no-preserve=all ${recentAdvCmds}/mklocale .
+    pushd mklocale
+    flex -t -8 -i lex.l > lex.c
+    yacc -d yacc.y
+    clang *.c -o mklocale -lfl
+    popd
+    mv mklocale/mklocale mklocale.tproj/mklocale
+  '';
+
   buildPhase = ''
-    bsdmake -C colldef.tproj
-    bsdmake -C mklocale.tproj
+    runHook preBuild
+
     bsdmake -C usr-share-locale.tproj
 
     clang ${recentAdvCmds}/ps/*.c -o ps
@@ -39,6 +65,12 @@ in appleDerivation {
 
   installPhase = ''
     bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale"
+
+    # need to get rid of runtime dependency on flex
+    # install -d 0755 $locale/bin
+    # install -m 0755 colldef.tproj/colldef $locale/bin
+    # install -m 0755 mklocale.tproj/mklocale $locale/bin
+
     install -d 0755 $ps/bin
     install ps $ps/bin/ps
   '';
diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
index 8687f3fe532e..c730a409609f 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
@@ -7,6 +7,10 @@ appleDerivation {
 
   propagatedBuildInputs = [ Security ];
 
+  __propagatedSandboxProfile = ''
+    (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
+  '';
+
   patchPhase = ''
     substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \
       --replace '#include <xpc/xpc.h>' ""
diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix
index b494f5ae3466..6b7858d374a0 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix
@@ -56,7 +56,9 @@ let
     bootstrap_cmds  = applePackage "bootstrap_cmds"    "86"          "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {};
     bsdmake         = applePackage "bsdmake"           "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
     CarbonHeaders   = applePackage "CarbonHeaders"     "9A581"       "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {};
-    CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {};
+    CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {
+      inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile;
+    };
     CommonCrypto    = applePackage "CommonCrypto"      "60049"       "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {};
     configd         = applePackage "configd"           "453.19"      "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {};
     copyfile        = applePackage "copyfile"          "103.92.1"    "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {};
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix
index 4a739032e2ae..ccce7448e5db 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix
@@ -30,6 +30,9 @@ name: version: sha256: args: let
       '';
       buildInputs = [
         pkgs.gnustep-make
+        pkgs.darwin.apple_sdk.frameworks.AppKit
+        pkgs.darwin.apple_sdk.frameworks.Foundation
+        pkgs.darwin.cf-private
       ];
       makeFlags = [
         "-f${makeFile}"
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix
index 23ac246b4afa..9de1d120cc94 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix
@@ -14,6 +14,9 @@ appleDerivation {
     substituteInPlace lib/debugging.cpp --replace PATH_MAX 1024
     substituteInPlace lib/superblob.h --replace 'result->at' 'result->template at'
     substituteInPlace lib/ccaudit.cpp --replace '<bsm/libbsm.h>' '"bsm/libbsm.h"'
+    substituteInPlace lib/powerwatch.h --replace \
+      '<IOKit/pwr_mgt/IOPMLibPrivate.h>' \
+      '"${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/System/Library/Frameworks/IOKit.framework/Versions/A/PrivateHeaders/pwr_mgt/IOPMLibPrivate.h"'
 
     cp ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/include/security_utilities/utilities_dtrace.h lib
     cp -R ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/local/include/bsm lib