Resurrect Nix Darwin sandbox

[copumpkin]

This is a combined Nix + Nixpkgs issue, because the relevant work spans both repositories. This used to work, but broke a while ago and nobody's had the time to fix it.

The end result of this work should be:

• [ ] Most of nixpkgs (definitely all major packages) should build with sandbox enabled on Darwin
• [ ] All Darwin Hydra builders have it enabled
• [ ] The mechanism is reasonably safe by default (i.e., packages can't just specify arbitrary sandbox profiles to break out)
• [ ] Nix defaults to sandbox=true on Darwin because the default Darwin channel builds fine on it

This is a fair amount of work but should hopefully be fairly mechanical.

@edolstra for testing progress on this issue, is there a way to create a single Hydra jobset that enables the sandbox? That would allow us to improve things without affecting mainline builds.

Some relevant PRs (I'll edit to add more as I put them up):

• https://github.com/NixOS/nix/pull/1616

cc @LnL7 @domenkozar @pikajude

[edolstra]

Hydra doesn't really have a way to enable sandboxing per jobset, since that's determined by the configuration of the individual builders. A hacky way would be to set requiredSystemFeature = ["sandbox"] and then reserve a Mac builder for doing sandbox builds.

[copumpkin]

@edolstra that could work, if we can stop that builder from being used everywhere else. Otherwise normal builds will all fail on that builder 😦

[edolstra]

Yes, that's possible by marking it as a mandatory feature.

[copumpkin]

I've been working on this on and off and have the stdenv and several packages building fine in it. Will post PRs when more ready, and link them back here.

[jwiegley]

@copumpkin I'm trying to build my entire Darwin environment with sandboxing on now, to find out which packages fail. Is there someplace that it would be good to maintain a list of these? I know, for example, that ghcWithHoogle has problems with it on.

[matthewbauer]

@copumpkin Any updates on this? Hopefully the stdenv are fairly small?

[happysalada]

Interested in this as well!

[Et7f3]

The state is currently good. I get one failure in qt, ocamlPackages.opam most package build fine.

[tomodachi94]

Pinging the responsible maintainers, @NixOS/darwin-core.