Merge pull request #290684 from corngood/dotnet-darwin

dotnet: fix dotnet executables in darwin sandbox
author: Randy Eckenrode <randy@largeandhighquality.com> 2024-05-06 07:57:02 -0400
committer: GitHub <noreply@github.com> 2024-05-06 07:57:02 -0400
commit: 318a6a6b52689141c8eff2e3529f8f09ee9a9c28 (patch)
tree: 65a1ff4699e260299c0b9c1f1944076e37ce88da
parent: f5f3b69dc28d577c61079e2c4c37eea331f6f94b (diff)
parent: 6f7eccf45071b4c16a96d90632f031e68546ec93 (diff)
4 files changed, 59 insertions, 20 deletions
diff --git a/pkgs/build-support/dotnet/build-dotnet-module/default.nix b/pkgs/build-support/dotnet/build-dotnet-module/default.nix
index 15a753df07728..4548616c7d80e 100644
--- a/pkgs/build-support/dotnet/build-dotnet-module/default.nix
+++ b/pkgs/build-support/dotnet/build-dotnet-module/default.nix
@@ -185,6 +185,10 @@ stdenvNoCC.mkDerivation (args // {
 
   inherit selfContainedBuild useAppHost useDotnetFromEnv;
 
+  # propagate the runtime sandbox profile since the contents apply to published
+  # executables
+  propagatedSandboxProfile = toString dotnet-runtime.__propagatedSandboxProfile;
+
   passthru = {
     inherit nuget-source;
   } // lib.optionalAttrs (!lib.isDerivation nugetDeps) {
@@ -316,8 +320,4 @@ stdenvNoCC.mkDerivation (args // {
   } // args.passthru or { };
 
   meta = (args.meta or { }) // { inherit platforms; };
-}
-  # ICU tries to unconditionally load files from /usr/share/icu on Darwin, which makes builds fail
-  # in the sandbox, so disable ICU on Darwin. This, as far as I know, shouldn't cause any built packages
-  # to behave differently, just the dotnet build tool.
-  // lib.optionalAttrs stdenvNoCC.isDarwin { DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = 1; })
+})
diff --git a/pkgs/development/compilers/dotnet/build-dotnet.nix b/pkgs/development/compilers/dotnet/build-dotnet.nix
index f6802e62c70d1..11ece53971662 100644
--- a/pkgs/development/compilers/dotnet/build-dotnet.nix
+++ b/pkgs/development/compilers/dotnet/build-dotnet.nix
@@ -26,6 +26,7 @@ assert if type == "sdk" then packages != null else true;
 , mkNugetDeps
 , callPackage
 , dotnetCorePackages
+, xmlstarlet
 }:
 
 let
@@ -47,6 +48,9 @@ let
 
   targetRid = dotnetCorePackages.systemToDotnetRid stdenv.targetPlatform.system;
 
+  sigtool = callPackage ./sigtool.nix {};
+  signAppHost = callPackage ./sign-apphost.nix {};
+
 in
 mkCommon type rec {
   inherit pname version;
@@ -54,7 +58,11 @@ mkCommon type rec {
   # Some of these dependencies are `dlopen()`ed.
   nativeBuildInputs = [
     makeWrapper
-  ] ++ lib.optional stdenv.isLinux autoPatchelfHook;
+  ] ++ lib.optional stdenv.isLinux autoPatchelfHook
+  ++ lib.optionals (type == "sdk" && stdenv.isDarwin) [
+    xmlstarlet
+    sigtool
+  ];
 
   buildInputs = [
     stdenv.cc.cc
@@ -71,6 +79,16 @@ mkCommon type rec {
 
   sourceRoot = ".";
 
+  postPatch = if type == "sdk" && stdenv.isDarwin then ''
+    xmlstarlet ed \
+      --inplace \
+      -s //_:Project -t elem -n Import \
+      -i \$prev -t attr -n Project -v "${signAppHost}" \
+      sdk/*/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.targets
+
+    codesign --remove-signature packs/Microsoft.NETCore.App.Host.osx-*/*/runtimes/osx-*/native/{apphost,singlefilehost}
+  '' else null;
+
   dontPatchELF = true;
   noDumpEnvVars = true;
 
@@ -108,6 +126,14 @@ mkCommon type rec {
       $out/packs/Microsoft.NETCore.App.Host.${targetRid}/*/runtimes/${targetRid}/native/*host
   '';
 
+  # fixes: Could not load ICU data. UErrorCode: 2
+  propagatedSandboxProfile = lib.optionalString stdenv.isDarwin ''
+    (allow file-read* (subpath "/usr/share/icu"))
+    (allow file-read* (subpath "/private/var/db/mds/system"))
+    (allow mach-lookup (global-name "com.apple.SecurityServer")
+                       (global-name "com.apple.system.opendirectoryd.membership"))
+  '';
+
   passthru = {
     inherit icu;
   } // lib.optionalAttrs (type == "sdk") {
diff --git a/pkgs/development/compilers/dotnet/common.nix b/pkgs/development/compilers/dotnet/common.nix
index 49f3e3be4d779..e26fd0e337708 100644
--- a/pkgs/development/compilers/dotnet/common.nix
+++ b/pkgs/development/compilers/dotnet/common.nix
@@ -50,9 +50,18 @@
           runtime ? finalAttrs.finalPackage,
           runInputs ? [],
           run ? null,
+          runAllowNetworking ? false,
         }:
         let
-          built = runCommand "dotnet-test-${name}" { buildInputs = [ finalAttrs.finalPackage ]; } (''
+          sdk = finalAttrs.finalPackage;
+          built = runCommand "dotnet-test-${name}" {
+            buildInputs = [ sdk ];
+            # make sure ICU works in a sandbox
+            propagatedSandboxProfile = toString sdk.__propagatedSandboxProfile + ''
+              (allow network-inbound (local ip))
+              (allow mach-lookup (global-name "com.apple.FSEvents"))
+            '';
+          } (''
             HOME=$PWD/.home
             dotnet new nugetconfig
             dotnet nuget disable source nuget
@@ -65,11 +74,19 @@
           if run == null
             then built
           else
-            runCommand "${built.name}-run" { src = built; nativeBuildInputs = runInputs; } (
-              lib.optionalString (runtime != null) ''
-                # TODO: use runtime here
-                export DOTNET_ROOT=${runtime}
-              '' + run);
+            runCommand "${built.name}-run" ({
+              src = built;
+              nativeBuildInputs = [ built ] ++ runInputs;
+            } // lib.optionalAttrs (stdenv.isDarwin && runAllowNetworking) {
+              sandboxProfile = ''
+                (allow network-inbound (local ip))
+                (allow mach-lookup (global-name "com.apple.FSEvents"))
+              '';
+              __darwinAllowLocalNetworking = true;
+            }) (lib.optionalString (runtime != null) ''
+              # TODO: use runtime here
+              export DOTNET_ROOT=${runtime}
+            '' + run);
 
       # Setting LANG to something other than 'C' forces the runtime to search
       # for ICU, which will be required in most user environments.
@@ -127,6 +144,7 @@
           expect <<"EOF"
             set status 1
             spawn $env(src)/test
+            proc abort { } { exit 2 }
             expect_before default abort
             expect -re {Now listening on: ([^\r]+)\r} {
               set url $expect_out(1,string)
@@ -138,11 +156,14 @@
               exit 1
             }
             send \x03
+            expect_before timeout abort
+            expect eof
             catch wait result
             exit [lindex $result 3]
           EOF
           touch $out
         '';
+        runAllowNetworking = true;
       };
     } // args.passthru.tests or {};
   } // args.passthru or {};
diff --git a/pkgs/development/compilers/dotnet/stage0.nix b/pkgs/development/compilers/dotnet/stage0.nix
index e0caad3f9a674..5806a5ee6de82 100644
--- a/pkgs/development/compilers/dotnet/stage0.nix
+++ b/pkgs/development/compilers/dotnet/stage0.nix
@@ -25,8 +25,6 @@ let
 
   patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {};
 
-  signAppHost = callPackage ./sign-apphost.nix {};
-
   deps = mkNugetDeps {
     name = "dotnet-vmr-deps";
     sourceFile = depsFile;
@@ -51,12 +49,6 @@ let
         -s //Project -t elem -n Import \
         -i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \
         src/*/Directory.Build.targets
-    '' + lib.optionalString stdenv.isDarwin ''
-      xmlstarlet ed \
-        --inplace \
-        -s //Project -t elem -n Import \
-        -i \$prev -t attr -n Project -v "${signAppHost}" \
-        src/runtime/Directory.Build.targets
     '';
 
     postConfigure = old.postConfigure or "" + ''
author	Randy Eckenrode <randy@largeandhighquality.com>	2024-05-06 07:57:02 -0400
committer	GitHub <noreply@github.com>	2024-05-06 07:57:02 -0400
commit	318a6a6b52689141c8eff2e3529f8f09ee9a9c28 (patch)
tree	65a1ff4699e260299c0b9c1f1944076e37ce88da
parent	f5f3b69dc28d577c61079e2c4c37eea331f6f94b (diff)
parent	6f7eccf45071b4c16a96d90632f031e68546ec93 (diff)