colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #290684 from corngood/dotnet-darwin

Browse Source 
dotnet: fix dotnet executables in darwin sandbox
This commit is contained in:
Randy Eckenrode 2024-05-06 07:57:02 -04:00 committed by GitHub
commit 318a6a6b52
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 59 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkgs/build-support/dotnet/build-dotnet-module/default.nix
View File

@ -185,6 +185,10 @@ stdenvNoCC.mkDerivation (args // {
inherit selfContainedBuild useAppHost useDotnetFromEnv;
# propagate the runtime sandbox profile since the contents apply to published
# executables
propagatedSandboxProfile = toString dotnet-runtime.__propagatedSandboxProfile;
passthru = {
inherit nuget-source;
} // lib.optionalAttrs (!lib.isDerivation nugetDeps) {
@ -316,8 +320,4 @@ stdenvNoCC.mkDerivation (args // {
} // args.passthru or { };
meta = (args.meta or { }) // { inherit platforms; };
}
# ICU tries to unconditionally load files from /usr/share/icu on Darwin, which makes builds fail
# in the sandbox, so disable ICU on Darwin. This, as far as I know, shouldn't cause any built packages
# to behave differently, just the dotnet build tool.
// lib.optionalAttrs stdenvNoCC.isDarwin { DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = 1; })
})

28
pkgs/development/compilers/dotnet/build-dotnet.nix
View File

@ -26,6 +26,7 @@ assert if type == "sdk" then packages != null else true;
, mkNugetDeps
, callPackage
, dotnetCorePackages
, xmlstarlet
}:
let
@ -47,6 +48,9 @@ let
targetRid = dotnetCorePackages.systemToDotnetRid stdenv.targetPlatform.system;
sigtool = callPackage ./sigtool.nix {};
signAppHost = callPackage ./sign-apphost.nix {};
in
mkCommon type rec {
inherit pname version;
@ -54,7 +58,11 @@ mkCommon type rec {
# Some of these dependencies are `dlopen()`ed.
nativeBuildInputs = [
makeWrapper
] ++ lib.optional stdenv.isLinux autoPatchelfHook;
] ++ lib.optional stdenv.isLinux autoPatchelfHook
++ lib.optionals (type == "sdk" && stdenv.isDarwin) [
xmlstarlet
sigtool
];
buildInputs = [
stdenv.cc.cc
@ -71,6 +79,16 @@ mkCommon type rec {
sourceRoot = ".";
postPatch = if type == "sdk" && stdenv.isDarwin then ''
xmlstarlet ed \
--inplace \
-s //_:Project -t elem -n Import \
-i \$prev -t attr -n Project -v "${signAppHost}" \
sdk/*/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.targets
codesign --remove-signature packs/Microsoft.NETCore.App.Host.osx-*/*/runtimes/osx-*/native/{apphost,singlefilehost}
'' else null;
dontPatchELF = true;
noDumpEnvVars = true;
@ -108,6 +126,14 @@ mkCommon type rec {
$out/packs/Microsoft.NETCore.App.Host.${targetRid}/*/runtimes/${targetRid}/native/*host
'';
# fixes: Could not load ICU data. UErrorCode: 2
propagatedSandboxProfile = lib.optionalString stdenv.isDarwin ''
(allow file-read* (subpath "/usr/share/icu"))
(allow file-read* (subpath "/private/var/db/mds/system"))
(allow mach-lookup (global-name "com.apple.SecurityServer")
(global-name "com.apple.system.opendirectoryd.membership"))
'';
passthru = {
inherit icu;
} // lib.optionalAttrs (type == "sdk") {

33
pkgs/development/compilers/dotnet/common.nix
View File

@ -50,9 +50,18 @@
runtime ? finalAttrs.finalPackage,
runInputs ? [],
run ? null,
runAllowNetworking ? false,
}:
let
built = runCommand "dotnet-test-${name}" { buildInputs = [ finalAttrs.finalPackage ]; } (''
sdk = finalAttrs.finalPackage;
built = runCommand "dotnet-test-${name}" {
buildInputs = [ sdk ];
# make sure ICU works in a sandbox
propagatedSandboxProfile = toString sdk.__propagatedSandboxProfile + ''
(allow network-inbound (local ip))
(allow mach-lookup (global-name "com.apple.FSEvents"))
'';
} (''
HOME=$PWD/.home
dotnet new nugetconfig
dotnet nuget disable source nuget
@ -65,11 +74,19 @@
if run == null
then built
else
runCommand "${built.name}-run" { src = built; nativeBuildInputs = runInputs; } (
lib.optionalString (runtime != null) ''
# TODO: use runtime here
export DOTNET_ROOT=${runtime}
'' + run);
runCommand "${built.name}-run" ({
src = built;
nativeBuildInputs = [ built ] ++ runInputs;
} // lib.optionalAttrs (stdenv.isDarwin && runAllowNetworking) {
sandboxProfile = ''
(allow network-inbound (local ip))
(allow mach-lookup (global-name "com.apple.FSEvents"))
'';
__darwinAllowLocalNetworking = true;
}) (lib.optionalString (runtime != null) ''
# TODO: use runtime here
export DOTNET_ROOT=${runtime}
'' + run);
# Setting LANG to something other than 'C' forces the runtime to search
# for ICU, which will be required in most user environments.
@ -127,6 +144,7 @@
expect <<"EOF"
set status 1
spawn $env(src)/test
proc abort { } { exit 2 }
expect_before default abort
expect -re {Now listening on: ([^\r]+)\r} {
set url $expect_out(1,string)
@ -138,11 +156,14 @@
exit 1
}
send \x03
expect_before timeout abort
expect eof
catch wait result
exit [lindex $result 3]
EOF
touch $out
'';
runAllowNetworking = true;
};
} // args.passthru.tests or {};
} // args.passthru or {};

8
pkgs/development/compilers/dotnet/stage0.nix
View File

@ -25,8 +25,6 @@ let
patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {};
signAppHost = callPackage ./sign-apphost.nix {};
deps = mkNugetDeps {
name = "dotnet-vmr-deps";
sourceFile = depsFile;
@ -51,12 +49,6 @@ let
-s //Project -t elem -n Import \
-i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \
src/*/Directory.Build.targets
'' + lib.optionalString stdenv.isDarwin ''
xmlstarlet ed \
--inplace \
-s //Project -t elem -n Import \
-i \$prev -t attr -n Project -v "${signAppHost}" \
src/runtime/Directory.Build.targets
'';
postConfigure = old.postConfigure or "" + ''