about summary refs log tree commit diff
path: root/pkgs/stdenv/generic/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/stdenv/generic/default.nix')
-rw-r--r--pkgs/stdenv/generic/default.nix19
1 files changed, 17 insertions, 2 deletions
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 1a2ca5038b20..8e6bf2be63f6 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , extraBuildInputs ? []
 , __stdenvImpureHostDeps ? []
 , __extraImpureHostDeps ? []
+, stdenvSandboxProfile ? ""
+, extraSandboxProfile ? ""
 }:
 
 let
@@ -100,6 +102,8 @@ let
     , outputs ? [ "out" ]
     , __impureHostDeps ? []
     , __propagatedImpureHostDeps ? []
+    , sandboxProfile ? ""
+    , propagatedSandboxProfile ? ""
     , ... } @ attrs:
     let
       pos' =
@@ -165,9 +169,13 @@ let
       lib.addPassthru (derivation (
         (removeAttrs attrs
           ["meta" "passthru" "crossAttrs" "pos"
-           "__impureHostDeps" "__propagatedImpureHostDeps"])
+           "__impureHostDeps" "__propagatedImpureHostDeps"
+           "sandboxProfile" "propagatedSandboxProfile"])
         // (let
-          # TODO: remove lib.unique once nix has a list canonicalization primitive
+          computedSandboxProfile =
+            lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs);
+          computedPropagatedSandboxProfile =
+            lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs);
           computedImpureHostDeps =
             lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs));
           computedPropagatedImpureHostDeps =
@@ -189,6 +197,12 @@ let
           propagatedNativeBuildInputs = propagatedNativeBuildInputs ++
             (if crossConfig == null then propagatedBuildInputs else []);
         } // ifDarwin {
+          # TODO: remove lib.unique once nix has a list canonicalization primitive
+          __sandboxProfile =
+          let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
+              final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
+          in final;
+          __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
           __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
             "/dev/zero"
             "/dev/random"
@@ -232,6 +246,7 @@ let
       inherit preHook initialPath shell defaultNativeBuildInputs;
     }
     // ifDarwin {
+      __sandboxProfile = stdenvSandboxProfile;
       __impureHostDeps = __stdenvImpureHostDeps;
     })
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-13 20:23:36 +0000