Commit dc32d18e authored by Emily's avatar Emily
Browse files

lowdown: add flag to disable the Darwin sandbox 

This is a program written in a memory‐unsafe language that processes
potentially‐untrusted user input. We shouldn’t disable upstream’s
sandboxing mechanisms for all downstream consumers without good
reason.

Although the sandbox API is officially marked as deprecated, it is
used as the basis for the supported App Sandbox and it is extremely
unlikely to ever be removed as it is used extensively throughout
the OS for service hardening and by third parties like the Chrome
sandbox. Nix itself uses it to sandbox builds, and its lack of support
for nesting is why this caused problems in the first place. Instead,
introduce a `lowdown-unsandboxed` package that can be used in the
`nativeBuildInputs` of Nix builds, while keeping the sandboxed
version of the program for general use. The name might not be ideal,
as it remains identical to `lowdown` on non‐Darwin platforms,
but I couldn’t think of a better one.

See: #125004
Closes: #346933
parent c4902d65

pkgs/tools/typesetting/lowdown/default.nix

+7 −3
Original line number Diff line number Diff line
@@ -2,12 +2,13 @@ 
, fetchpatch

, enableShared ? !stdenv.hostPlatform.isStatic

, enableStatic ? stdenv.hostPlatform.isStatic

, enableDarwinSandbox ? true

# for passthru.tests

, nix

}:



stdenv.mkDerivation rec {

  pname = "lowdown";

  pname = "lowdown${lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed"}";

  version = "1.1.0";



  outputs = [ "out" "lib" "dev" "man" ];
@@ -54,7 +55,9 @@ stdenv.mkDerivation rec { 
  nativeBuildInputs = [ which dieHook ]

    ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ];



  preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) ''

  # The Darwin sandbox calls fail inside Nix builds, presumably due to

  # being nested inside another sandbox.

  preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) ''

    echo 'HAVE_SANDBOX_INIT=0' > configure.local

  '';
@@ -103,7 +106,8 @@ stdenv.mkDerivation rec { 
    '';



  doInstallCheck = true;

  installCheckPhase = ''



  installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) ''

    runHook preInstallCheck

    echo '# TEST' > test.md

    $out/bin/lowdown test.md

pkgs/top-level/all-packages.nix

+5 −0
Original line number Diff line number Diff line
@@ -5434,6 +5434,11 @@ with pkgs; 














  lowdown = callPackage ../tools/typesetting/lowdown { };



























  # Less secure variant of lowdown for use inside Nix builds.













  lowdown-unsandboxed = lowdown.override {













    enableDarwinSandbox = false;













  };



























  numatop = callPackage ../os-specific/linux/numatop { };





























  numworks-udev-rules = callPackage ../os-specific/linux/numworks-udev-rules { };