From 7039b24cdcda600c82ad19ef197c47d8151ef367 Mon Sep 17 00:00:00 2001
From: Jude Taylor <me@jude.bio>
Date: Thu, 19 Nov 2015 11:33:21 -0800
Subject: [PATCH] cherry-pick lib.sandbox into master

---
 lib/default.nix |  3 ++-
 lib/sandbox.nix | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 lib/sandbox.nix

diff --git a/lib/default.nix b/lib/default.nix
index cd0d8161c8cb..32ac0c58af6c 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -17,10 +17,11 @@ let
   systems = import ./systems.nix;
   customisation = import ./customisation.nix;
   licenses = import ./licenses.nix;
+  sandbox = import ./sandbox.nix;
 
 in
   { inherit trivial lists strings stringsWithDeps attrsets sources options
-      modules types meta debug maintainers licenses platforms systems;
+      modules types meta debug maintainers licenses platforms systems sandbox;
   }
   # !!! don't include everything at top-level; perhaps only the most
   # commonly used functions.
diff --git a/lib/sandbox.nix b/lib/sandbox.nix
new file mode 100644
index 000000000000..414bf36f779f
--- /dev/null
+++ b/lib/sandbox.nix
@@ -0,0 +1,47 @@
+with import ./strings.nix;
+
+/* Helpers for creating lisp S-exprs for the Apple sandbox
+
+lib.sandbox.allowFileRead [ "/usr/bin/file" ];
+  # => "(allow file-read* (literal \"/usr/bin/file\"))";
+
+lib.sandbox.allowFileRead {
+  literal = [ "/usr/bin/file" ];
+  subpath = [ "/usr/lib/system" ];
+}
+  # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
+*/
+
+let
+
+sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
+generateFileList = files:
+  if builtins.isList files
+    then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files
+    else if builtins.isString files
+      then generateFileList [ files ]
+      else concatStringsSep " " (
+        (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
+        (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
+      );
+applyToFiles = f: act: files: f "${act} ${generateFileList files}";
+genActions = actionName: let
+  action = feature: sexp [ actionName feature ];
+  self = {
+    "${actionName}" = action;
+    "${actionName}File" = applyToFiles action "file*";
+    "${actionName}FileRead" = applyToFiles action "file-read*";
+    "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
+    "${actionName}DirectoryList" = self."${actionName}FileReadMetadata";
+    "${actionName}FileWrite" = applyToFiles action "file-write*";
+    "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
+  };
+  in self;
+
+in
+
+genActions "allow" // genActions "deny" // {
+  importProfile = derivation: ''
+    (import "${derivation}")
+  '';
+}