darwin sandbox does not allow access to dyld shared cache in `/System/Library/dyld/`

[lilyball]

Describe the bug

On macOS 12, the system has dyld shared caches in /System/Library/dyld/, but Nix's macOS sandbox does not allow access to this location. This produces sandbox deny warnings in the Console and presumably incurs a performance penalty.

Nix should just add /System/Library/dyld/ to the set of default paths it allows reading from in the sandbox.. This only contains shared caches (dyld shared cache and something called "aot_shared_cache"), and in general everything on macOS uses dyld so we should not restrict access to dyld's expected resources.

Steps To Reproduce

1. In one terminal window, run log stream --predicate 'message CONTAINS "dyld_shared_cache"'
2. In another terminal window, run nix --sandbox build --impure --expr 'with import <nixpkgs> {}; runCommandNoCC "foo" {} "echo hi"'

In the first terminal window, it will print something like

❯ log stream --predicate 'message CONTAINS "dyld_shared_cache"'
Filtering the log data using "composedMessage CONTAINS "dyld_shared_cache""
Timestamp                       Thread     Type        Activity             PID    TTL  
2022-01-07 00:57:47.733025-0800 0x858ae5   Error       0x0                  0      0    kernel: (Sandbox) Sandbox: bash(31281) deny(1) file-read-metadata /System/Library/dyld/dyld_shared_cache_arm64e
2022-01-07 00:57:47.752448-0800 0x858ae9   Error       0x0                  0      0    kernel: (Sandbox) Sandbox: coreutils(31284) deny(1) file-read-metadata /System/Library/dyld/dyld_shared_cache_arm64e

This does not affect the build results (the reproduction command will fail since it never creates $out but builds in general work as expected).

Expected behavior

These sandbox violations should not occur.

nix --version output

nix (Nix) 2.5.1

[stale[bot]]

I marked this as stale due to inactivity. → More info