Include macOS sandbox files in the Nix binary

This basically reverts 6e5165b77370c76bfa39d4b55e9f83673f3bd466.
It fixes errors like

  sandbox-exec: <internal init prelude>:292:47: unable to open sandbox-minimal.sb: not found

when trying to run a development Nix installed in a user's home
directory.

Also, we're trying to minimize the number of installed files
to make it possible to deploy Nix as a single statically-linked
binary.

5 files changed, 21 insertions, 9 deletions

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 9d869d513..488e06d8c 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2050,10 +2050,14 @@ void LocalDerivationGoal::runChild()
                     sandboxProfile += "(deny default (with no-log))\n";
                 }
 
-                sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
+                sandboxProfile +=
+                    #include "sandbox-defaults.sb"
+                    ;
 
                 if (!derivationType.isSandboxed())
-                    sandboxProfile += "(import \"sandbox-network.sb\")\n";
+                    sandboxProfile +=
+                        #include "sandbox-network.sb"
+                        ;
 
                 /* Add the output paths we'll use at build-time to the chroot */
                 sandboxProfile += "(allow file-read* file-write* process-exec\n";
@@ -2096,7 +2100,9 @@ void LocalDerivationGoal::runChild()
 
                 sandboxProfile += additionalSandboxProfile;
             } else
-                sandboxProfile += "(import \"sandbox-minimal.sb\")\n";
+                sandboxProfile +=
+                    #include "sandbox-minimal.sb"
+                    ;
 
             debug("Generated sandbox profile:");
             debug(sandboxProfile);
@@ -2121,8 +2127,6 @@ void LocalDerivationGoal::runChild()
                 args.push_back(sandboxFile);
                 args.push_back("-D");
                 args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
-                args.push_back("-D");
-                args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
                 if (allowLocalNetworking) {
                     args.push_back("-D");
                     args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
diff --git a/src/libstore/local.mk b/src/libstore/local.mk
index 8f28bec6c..e5e24501e 100644
--- a/src/libstore/local.mk
+++ b/src/libstore/local.mk
@@ -13,10 +13,6 @@ ifdef HOST_LINUX
  libstore_LDFLAGS += -ldl
 endif
 
-ifdef HOST_DARWIN
-libstore_FILES = sandbox-defaults.sb sandbox-minimal.sb sandbox-network.sb
-endif
-
 $(foreach file,$(libstore_FILES),$(eval $(call install-data-in,$(d)/$(file),$(datadir)/nix/sandbox)))
 
 ifeq ($(ENABLE_S3), 1)
diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb
index d9d710559..77f013aea 100644
--- a/src/libstore/sandbox-defaults.sb
+++ b/src/libstore/sandbox-defaults.sb
@@ -1,3 +1,5 @@
+R""(
+
 (define TMPDIR (param "_GLOBAL_TMP_DIR"))
 
 (deny default)
@@ -104,3 +106,5 @@
        (subpath "/System/Library/Apple/usr/libexec/oah")
        (subpath "/System/Library/LaunchDaemons/com.apple.oahd.plist")
        (subpath "/Library/Apple/System/Library/LaunchDaemons/com.apple.oahd.plist"))
+
+)""
diff --git a/src/libstore/sandbox-minimal.sb b/src/libstore/sandbox-minimal.sb
index 65f5108b3..976a1f636 100644
--- a/src/libstore/sandbox-minimal.sb
+++ b/src/libstore/sandbox-minimal.sb
@@ -1,5 +1,9 @@
+R""(
+
 (allow default)
 
 ; Disallow creating setuid/setgid binaries, since that
 ; would allow breaking build user isolation.
 (deny file-write-setugid)
+
+)""
diff --git a/src/libstore/sandbox-network.sb b/src/libstore/sandbox-network.sb
index 19e9eea9a..335edbaed 100644
--- a/src/libstore/sandbox-network.sb
+++ b/src/libstore/sandbox-network.sb
@@ -1,3 +1,5 @@
+R""(
+
 ; Allow local and remote network traffic.
 (allow network* (local ip) (remote ip))
 
@@ -18,3 +20,5 @@
 ; Allow access to trustd.
 (allow mach-lookup (global-name "com.apple.trustd"))
 (allow mach-lookup (global-name "com.apple.trustd.agent"))
+
+)""