diff --git a/pkgs/build-support/dotnet/build-dotnet-module/default.nix b/pkgs/build-support/dotnet/build-dotnet-module/default.nix index 15a753df0772..4548616c7d80 100644 --- a/pkgs/build-support/dotnet/build-dotnet-module/default.nix +++ b/pkgs/build-support/dotnet/build-dotnet-module/default.nix @@ -185,6 +185,10 @@ stdenvNoCC.mkDerivation (args // { inherit selfContainedBuild useAppHost useDotnetFromEnv; + # propagate the runtime sandbox profile since the contents apply to published + # executables + propagatedSandboxProfile = toString dotnet-runtime.__propagatedSandboxProfile; + passthru = { inherit nuget-source; } // lib.optionalAttrs (!lib.isDerivation nugetDeps) { @@ -316,8 +320,4 @@ stdenvNoCC.mkDerivation (args // { } // args.passthru or { }; meta = (args.meta or { }) // { inherit platforms; }; -} - # ICU tries to unconditionally load files from /usr/share/icu on Darwin, which makes builds fail - # in the sandbox, so disable ICU on Darwin. This, as far as I know, shouldn't cause any built packages - # to behave differently, just the dotnet build tool. - // lib.optionalAttrs stdenvNoCC.isDarwin { DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = 1; }) +}) diff --git a/pkgs/development/compilers/dotnet/build-dotnet.nix b/pkgs/development/compilers/dotnet/build-dotnet.nix index f6802e62c70d..11ece5397166 100644 --- a/pkgs/development/compilers/dotnet/build-dotnet.nix +++ b/pkgs/development/compilers/dotnet/build-dotnet.nix @@ -26,6 +26,7 @@ assert if type == "sdk" then packages != null else true; , mkNugetDeps , callPackage , dotnetCorePackages +, xmlstarlet }: let @@ -47,6 +48,9 @@ let targetRid = dotnetCorePackages.systemToDotnetRid stdenv.targetPlatform.system; + sigtool = callPackage ./sigtool.nix {}; + signAppHost = callPackage ./sign-apphost.nix {}; + in mkCommon type rec { inherit pname version; @@ -54,7 +58,11 @@ mkCommon type rec { # Some of these dependencies are `dlopen()`ed. nativeBuildInputs = [ makeWrapper - ] ++ lib.optional stdenv.isLinux autoPatchelfHook; + ] ++ lib.optional stdenv.isLinux autoPatchelfHook + ++ lib.optionals (type == "sdk" && stdenv.isDarwin) [ + xmlstarlet + sigtool + ]; buildInputs = [ stdenv.cc.cc @@ -71,6 +79,16 @@ mkCommon type rec { sourceRoot = "."; + postPatch = if type == "sdk" && stdenv.isDarwin then '' + xmlstarlet ed \ + --inplace \ + -s //_:Project -t elem -n Import \ + -i \$prev -t attr -n Project -v "${signAppHost}" \ + sdk/*/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.targets + + codesign --remove-signature packs/Microsoft.NETCore.App.Host.osx-*/*/runtimes/osx-*/native/{apphost,singlefilehost} + '' else null; + dontPatchELF = true; noDumpEnvVars = true; @@ -108,6 +126,14 @@ mkCommon type rec { $out/packs/Microsoft.NETCore.App.Host.${targetRid}/*/runtimes/${targetRid}/native/*host ''; + # fixes: Could not load ICU data. UErrorCode: 2 + propagatedSandboxProfile = lib.optionalString stdenv.isDarwin '' + (allow file-read* (subpath "/usr/share/icu")) + (allow file-read* (subpath "/private/var/db/mds/system")) + (allow mach-lookup (global-name "com.apple.SecurityServer") + (global-name "com.apple.system.opendirectoryd.membership")) + ''; + passthru = { inherit icu; } // lib.optionalAttrs (type == "sdk") { diff --git a/pkgs/development/compilers/dotnet/common.nix b/pkgs/development/compilers/dotnet/common.nix index 49f3e3be4d77..69503147ea07 100644 --- a/pkgs/development/compilers/dotnet/common.nix +++ b/pkgs/development/compilers/dotnet/common.nix @@ -52,7 +52,12 @@ run ? null, }: let - built = runCommand "dotnet-test-${name}" { buildInputs = [ finalAttrs.finalPackage ]; } ('' + sdk = finalAttrs.finalPackage; + built = runCommand "dotnet-test-${name}" { + buildInputs = [ sdk ]; + # make sure ICU works in a sandbox + propagatedSandboxProfile = toString sdk.__propagatedSandboxProfile; + } ('' HOME=$PWD/.home dotnet new nugetconfig dotnet nuget disable source nuget @@ -65,11 +70,13 @@ if run == null then built else - runCommand "${built.name}-run" { src = built; nativeBuildInputs = runInputs; } ( - lib.optionalString (runtime != null) '' - # TODO: use runtime here - export DOTNET_ROOT=${runtime} - '' + run); + runCommand "${built.name}-run" { + src = built; + nativeBuildInputs = [ built ] ++ runInputs; + } (lib.optionalString (runtime != null) '' + # TODO: use runtime here + export DOTNET_ROOT=${runtime} + '' + run); # Setting LANG to something other than 'C' forces the runtime to search # for ICU, which will be required in most user environments. diff --git a/pkgs/development/compilers/dotnet/stage0.nix b/pkgs/development/compilers/dotnet/stage0.nix index e0caad3f9a67..5806a5ee6de8 100644 --- a/pkgs/development/compilers/dotnet/stage0.nix +++ b/pkgs/development/compilers/dotnet/stage0.nix @@ -25,8 +25,6 @@ let patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {}; - signAppHost = callPackage ./sign-apphost.nix {}; - deps = mkNugetDeps { name = "dotnet-vmr-deps"; sourceFile = depsFile; @@ -51,12 +49,6 @@ let -s //Project -t elem -n Import \ -i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \ src/*/Directory.Build.targets - '' + lib.optionalString stdenv.isDarwin '' - xmlstarlet ed \ - --inplace \ - -s //Project -t elem -n Import \ - -i \$prev -t attr -n Project -v "${signAppHost}" \ - src/runtime/Directory.Build.targets ''; postConfigure = old.postConfigure or "" + ''