dotnet: fix dotnet executables in darwin sandbox

This fixes: Could not load ICU data. UErrorCode: 2 We're using a hook instead of a wrapper because various things like to reference the unwrapped dotnet executable.
2024-02-21 13:08:01 -04:00 · 2024-02-21 13:08:01 -04:00 · 26c3d6878a
commit 26c3d6878a
parent dd1e778bf6
4 changed files with 45 additions and 20 deletions
--- a/pkgs/build-support/dotnet/build-dotnet-module/default.nix
+++ b/pkgs/build-support/dotnet/build-dotnet-module/default.nix
@ -185,6 +185,10 @@ stdenvNoCC.mkDerivation (args // {

  inherit selfContainedBuild useAppHost useDotnetFromEnv;

+  # propagate the runtime sandbox profile since the contents apply to published
+  # executables
+  propagatedSandboxProfile = toString dotnet-runtime.__propagatedSandboxProfile;
+
  passthru = {
    inherit nuget-source;
  } // lib.optionalAttrs (!lib.isDerivation nugetDeps) {
@ -316,8 +320,4 @@ stdenvNoCC.mkDerivation (args // {
  } // args.passthru or { };

  meta = (args.meta or { }) // { inherit platforms; };
-}
-  # ICU tries to unconditionally load files from /usr/share/icu on Darwin, which makes builds fail
-  # in the sandbox, so disable ICU on Darwin. This, as far as I know, shouldn't cause any built packages
-  # to behave differently, just the dotnet build tool.
-  // lib.optionalAttrs stdenvNoCC.isDarwin { DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = 1; })
+})
--- a/pkgs/development/compilers/dotnet/build-dotnet.nix
+++ b/pkgs/development/compilers/dotnet/build-dotnet.nix
@ -26,6 +26,7 @@ assert if type == "sdk" then packages != null else true;
 , mkNugetDeps
 , callPackage
 , dotnetCorePackages
+, xmlstarlet
 }:

 let
@ -47,6 +48,9 @@ let

  targetRid = dotnetCorePackages.systemToDotnetRid stdenv.targetPlatform.system;

+  sigtool = callPackage ./sigtool.nix {};
+  signAppHost = callPackage ./sign-apphost.nix {};
+
 in
 mkCommon type rec {
  inherit pname version;
@ -54,7 +58,11 @@ mkCommon type rec {
  # Some of these dependencies are `dlopen()`ed.
  nativeBuildInputs = [
    makeWrapper
-  ] ++ lib.optional stdenv.isLinux autoPatchelfHook;
+  ] ++ lib.optional stdenv.isLinux autoPatchelfHook
+  ++ lib.optionals (type == "sdk" && stdenv.isDarwin) [
+    xmlstarlet
+    sigtool
+  ];

  buildInputs = [
    stdenv.cc.cc
@ -71,6 +79,16 @@ mkCommon type rec {

  sourceRoot = ".";

+  postPatch = if type == "sdk" && stdenv.isDarwin then ''
+    xmlstarlet ed \
+      --inplace \
+      -s //_:Project -t elem -n Import \
+      -i \$prev -t attr -n Project -v "${signAppHost}" \
+      sdk/*/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.targets
+
+    codesign --remove-signature packs/Microsoft.NETCore.App.Host.osx-*/*/runtimes/osx-*/native/{apphost,singlefilehost}
+  '' else null;
+
  dontPatchELF = true;
  noDumpEnvVars = true;

@ -108,6 +126,14 @@ mkCommon type rec {
      $out/packs/Microsoft.NETCore.App.Host.${targetRid}/*/runtimes/${targetRid}/native/*host
  '';

+  # fixes: Could not load ICU data. UErrorCode: 2
+  propagatedSandboxProfile = lib.optionalString stdenv.isDarwin ''
+    (allow file-read* (subpath "/usr/share/icu"))
+    (allow file-read* (subpath "/private/var/db/mds/system"))
+    (allow mach-lookup (global-name "com.apple.SecurityServer")
+                       (global-name "com.apple.system.opendirectoryd.membership"))
+  '';
+
  passthru = {
    inherit icu;
  } // lib.optionalAttrs (type == "sdk") {
--- a/pkgs/development/compilers/dotnet/common.nix
+++ b/pkgs/development/compilers/dotnet/common.nix
@ -52,7 +52,12 @@
          run ? null,
        }:
        let
-          built = runCommand "dotnet-test-${name}" { buildInputs = [ finalAttrs.finalPackage ]; } (''
+          sdk = finalAttrs.finalPackage;
+          built = runCommand "dotnet-test-${name}" {
+            buildInputs = [ sdk ];
+            # make sure ICU works in a sandbox
+            propagatedSandboxProfile = toString sdk.__propagatedSandboxProfile;
+          } (''
            HOME=$PWD/.home
            dotnet new nugetconfig
            dotnet nuget disable source nuget
@ -65,11 +70,13 @@
          if run == null
            then built
          else
-            runCommand "${built.name}-run" { src = built; nativeBuildInputs = runInputs; } (
-              lib.optionalString (runtime != null) ''
-                # TODO: use runtime here
-                export DOTNET_ROOT=${runtime}
-              '' + run);
+            runCommand "${built.name}-run" {
+              src = built;
+              nativeBuildInputs = [ built ] ++ runInputs;
+            } (lib.optionalString (runtime != null) ''
+              # TODO: use runtime here
+              export DOTNET_ROOT=${runtime}
+            '' + run);

      # Setting LANG to something other than 'C' forces the runtime to search
      # for ICU, which will be required in most user environments.
--- a/pkgs/development/compilers/dotnet/stage0.nix
+++ b/pkgs/development/compilers/dotnet/stage0.nix
@ -25,8 +25,6 @@ let

  patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {};

-  signAppHost = callPackage ./sign-apphost.nix {};
-
  deps = mkNugetDeps {
    name = "dotnet-vmr-deps";
    sourceFile = depsFile;
@ -51,12 +49,6 @@ let
        -s //Project -t elem -n Import \
        -i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \
        src/*/Directory.Build.targets
-    '' + lib.optionalString stdenv.isDarwin ''
-      xmlstarlet ed \
-        --inplace \
-        -s //Project -t elem -n Import \
-        -i \$prev -t attr -n Project -v "${signAppHost}" \
-        src/runtime/Directory.Build.targets
    '';

    postConfigure = old.postConfigure or "" + ''