From 22dfd023fafc5951619072d3031e3198f9538e45 Mon Sep 17 00:00:00 2001
From: Jude Taylor <me@jude.bio>
Date: Thu, 12 Nov 2015 22:51:52 -0800
Subject: [PATCH] update sandbox profiles within nix

---
 corepkgs/buildenv.nix | 18 ++++++++++++++----
 release.nix           |  5 +++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/corepkgs/buildenv.nix b/corepkgs/buildenv.nix
index b4946457..ab1ce13f 100644
--- a/corepkgs/buildenv.nix
+++ b/corepkgs/buildenv.nix
@@ -23,10 +23,20 @@ derivation {
   # network traffic, so don't do that.
   preferLocalBuild = true;
 
-  __impureHostDeps = if builtins.currentSystem == "x86_64-darwin" then [
-    "/usr/lib/libSystem.dylib"
-    "/usr/lib/system"
-  ] else null;
+  __sandboxProfile = ''
+    (allow sysctl-read)
+    (allow file-read*
+           (literal "/usr/lib/libSystem.dylib")
+           (literal "/usr/lib/libSystem.B.dylib")
+           (literal "/usr/lib/libobjc.A.dylib")
+           (literal "/usr/lib/libobjc.dylib")
+           (literal "/usr/lib/libauto.dylib")
+           (literal "/usr/lib/libc++abi.dylib")
+           (literal "/usr/lib/libc++.1.dylib")
+           (literal "/usr/lib/libDiagnosticMessagesClient.dylib")
+           (subpath "/usr/lib/system")
+           (subpath "/dev"))
+  '';
 
   inherit chrootDeps;
 }
diff --git a/release.nix b/release.nix
index 4269a3f7..cb391d0f 100644
--- a/release.nix
+++ b/release.nix
@@ -97,6 +97,11 @@ let
 
         enableParallelBuilding = true;
 
+        __sandboxProfile = lib.sandbox.allowNetwork
+          + lib.sandbox.allowFileRead {
+            literal = [ "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" ];
+          };
+
         makeFlags = "profiledir=$(out)/etc/profile.d";
 
         preBuild = "unset NIX_INDENT_MAKE";