nmattia · July 31, 2021 15:54
diff --git a/.envrc b/.envrc
 res=$(nix-build --no-link ./default.nix -A load)
 watch_file ./default.nix
 . "$res"
diff --git a/default.nix b/default.nix
 # note: all the picking exes up from /bin doesn't work in sandbox of course

 let
  # death to nixpkgs
  runCommand = env: cmd: builtins.derivation
    (
      rec {
        name = "runCommand";
        builder = /bin/bash;
        args = [ "-euo" "pipefail" "-c" input ];
        system = builtins.currentSystem;
        input = cmd;
      } // env
    );

  # yes, no sha, naughty nicolas
  npm-src = builtins.fetchTarball https://nodejs.org/download/release/v16.5.0/node-v16.5.0-darwin-x64.tar.gz;

  dfx-src = builtins.fetchTarball https://sdk.dfinity.org/downloads/dfx/0.8.0/x86_64-darwin/dfx-0.8.0.tar.gz;

  rust-toolchain-src = builtins.fetchurl https://static.rust-lang.org/dist/rust-1.54.0-x86_64-apple-darwin.pkg;

  # found in https://static.rust-lang.org/dist/channel-rust-stable.toml through
  # https://github.com/rust-lang/cargo/issues/9733
  rust-std-wasm32 = builtins.fetchTarball https://static.rust-lang.org/dist/2021-07-29/rust-std-1.54.0-wasm32-unknown-unknown.tar.gz;

  vanillaPathBits = [
    dfx-src
    "${npm-src}/bin"
    "${unpack-rust-toolchain}/cargo.pkg/Scripts/cargo/bin"
    "${unpack-rust-toolchain}/rustc.pkg/Scripts/rustc/bin"
    inenv
    
    # cheating
    "/nix/store/1xcf465jj13jvgrzqa1c5d2ghbfl5p4q-clang-wrapper-7.1.0/bin"
    "/nix/store/3xcrhspi33r0a4ppmchb2y1j1675y5a6-cmake-3.19.7/bin"
    "/nix/store/xal2m7x6xl5yg1lkndxzy9gyd8qwsga4-gnumake-4.3/bin"
    "/nix/store/5kl82zvp0aacfvp4i00i93mlpd84xily-cctools-binutils-darwin-949.0.1/bin"
    "/nix/store/jn8x9xhykkx8wa81fywgyw0z7rs3fli0-ps-1003.1-2008/bin"
    "/nix/store/6pdp40i6fadiyvfr6j8qs0l5z8wj39wn-python3-3.8.9/bin"
  ];

  # run a command in the Dune environment (sandboxed, with Dune PATH)
  inenv = runCommand {}
    ''
      export PATH=/usr/sbin:/usr/bin:/bin
      mkdir -p $out
      cat > $out/inenv <<EOF
      "\$@"
      EOF

      chmod +x $out/inenv
    '';



  vanillaPath = builtins.concatStringsSep ":" vanillaPathBits;

  # rust toolchain with x86_64-apple-darwin and wasm32-unknown-unknow targets
  unpack-rust-toolchain = runCommand {} ''
    export PATH=/usr/sbin:/usr/bin:/bin

    pkgutil --expand ${rust-toolchain-src} $out
    cp -r $out/rust-std.pkg/Scripts/rust-std-x86_64-apple-darwin/lib/rustlib/x86_64-apple-darwin/lib $out/rustc.pkg/Scripts/rustc/lib/rustlib/x86_64-apple-darwin/
    cp -r ${rust-std-wasm32}/rust-std-wasm32-unknown-unknown/lib/rustlib/wasm32-unknown-unknown $out/rustc.pkg/Scripts/rustc/lib/rustlib/

    chmod +x $out/rustc.pkg/Scripts/rustc/bin/rustc

  '';


  final = runCommand { inherit vanillaPathBits; } ''
    export PATH=/usr/bin:/bin

    mkdir -p $out/bin

    for bit in $vanillaPathBits; do
      echo looking for executables in "$bit"

      for exe in "$bit"/*; do
        exe=$(basename "$exe")
        echo found exe "$exe"

        cat > $out/bin/$exe <<EOF
          #!/usr/bin/env bash
          set -euo pipefail
          export PATH=${vanillaPath}:$PATH
          export HOME=/Users/nicolas/internet-identity/.home
          export CARGO_TARGET_X86_64_APPLE_DARWIN_RUSTFLAGS="-C link-arg=-L/nix/store/j93zvaiad3hc1kgypm4ixybfnc2k8j9i-libiconv-50/lib"
          export DYLD_FALLBACK_LIBRARY_PATH=/nix/store/j93zvaiad3hc1kgypm4ixybfnc2k8j9i-libiconv-50/lib
          export NIX_CFLAGS_LINK_x86_64_apple_darwin=-L/nix/store/j93zvaiad3hc1kgypm4ixybfnc2k8j9i-libiconv-50/lib

          export npm_config_cache=/Users/nicolas/internet-identity/.npm

          /usr/bin/sandbox-exec -f ${./profile.sb} $exe "\$@"
    EOF
        chmod +x "$out/bin/$exe"

        echo written "$out/bin/$exe"
      done
    done
  '';

  load = runCommand {} ''
    export PATH=/usr/bin:/bin

    cat > $out <<EOF
      export PATH=${final}/bin:\$PATH
    EOF
  '';

 in
 { inherit final load unpack-rust-toolchain; }
diff --git a/profile.sb b/profile.sb
 ; adapt, not an exhaustive list but denying access to '/' breaks stuff 
 ; (mostly network surprisingly)

 (version 1)
 (allow default)
 (allow network*)
 (deny file* (subpath "/Users/nicolas"))
 (allow file-read-metadata (subpath "/Users/nicolas"))
 (allow file* (subpath "/Users/nicolas/internet-identity"))
 (deny file* (subpath "/Applications"))
 (deny file* (subpath "/Users/nicolas/Applications"))

 ; not sure this is still required
 (allow file* (subpath "/Users/nicolas/Library/Caches/node-gyp"))
	res=$(nix-build --no-link ./default.nix -A load)
	watch_file ./default.nix
	. "$res"
	# note: all the picking exes up from /bin doesn't work in sandbox of course

	let
	# death to nixpkgs
	runCommand = env: cmd: builtins.derivation
	(
	rec {
	name = "runCommand";
	builder = /bin/bash;
	args = [ "-euo" "pipefail" "-c" input ];
	system = builtins.currentSystem;
	input = cmd;
	} // env
	);

	# yes, no sha, naughty nicolas
	npm-src = builtins.fetchTarball https://nodejs.org/download/release/v16.5.0/node-v16.5.0-darwin-x64.tar.gz;

	dfx-src = builtins.fetchTarball https://sdk.dfinity.org/downloads/dfx/0.8.0/x86_64-darwin/dfx-0.8.0.tar.gz;

	rust-toolchain-src = builtins.fetchurl https://static.rust-lang.org/dist/rust-1.54.0-x86_64-apple-darwin.pkg;

	# found in https://static.rust-lang.org/dist/channel-rust-stable.toml through
	# https://github.com/rust-lang/cargo/issues/9733
	rust-std-wasm32 = builtins.fetchTarball https://static.rust-lang.org/dist/2021-07-29/rust-std-1.54.0-wasm32-unknown-unknown.tar.gz;

	vanillaPathBits = [
	dfx-src
	"${npm-src}/bin"
	"${unpack-rust-toolchain}/cargo.pkg/Scripts/cargo/bin"
	"${unpack-rust-toolchain}/rustc.pkg/Scripts/rustc/bin"
	inenv

	# cheating
	"/nix/store/1xcf465jj13jvgrzqa1c5d2ghbfl5p4q-clang-wrapper-7.1.0/bin"
	"/nix/store/3xcrhspi33r0a4ppmchb2y1j1675y5a6-cmake-3.19.7/bin"
	"/nix/store/xal2m7x6xl5yg1lkndxzy9gyd8qwsga4-gnumake-4.3/bin"
	"/nix/store/5kl82zvp0aacfvp4i00i93mlpd84xily-cctools-binutils-darwin-949.0.1/bin"
	"/nix/store/jn8x9xhykkx8wa81fywgyw0z7rs3fli0-ps-1003.1-2008/bin"
	"/nix/store/6pdp40i6fadiyvfr6j8qs0l5z8wj39wn-python3-3.8.9/bin"
	];

	# run a command in the Dune environment (sandboxed, with Dune PATH)
	inenv = runCommand {}
	''
	export PATH=/usr/sbin:/usr/bin:/bin
	mkdir -p $out
	cat > $out/inenv <<EOF
	"\$@"
	EOF

	chmod +x $out/inenv
	'';



	vanillaPath = builtins.concatStringsSep ":" vanillaPathBits;

	# rust toolchain with x86_64-apple-darwin and wasm32-unknown-unknow targets
	unpack-rust-toolchain = runCommand {} ''
	export PATH=/usr/sbin:/usr/bin:/bin

	pkgutil --expand ${rust-toolchain-src} $out
	cp -r $out/rust-std.pkg/Scripts/rust-std-x86_64-apple-darwin/lib/rustlib/x86_64-apple-darwin/lib $out/rustc.pkg/Scripts/rustc/lib/rustlib/x86_64-apple-darwin/
	cp -r ${rust-std-wasm32}/rust-std-wasm32-unknown-unknown/lib/rustlib/wasm32-unknown-unknown $out/rustc.pkg/Scripts/rustc/lib/rustlib/

	chmod +x $out/rustc.pkg/Scripts/rustc/bin/rustc

	'';


	final = runCommand { inherit vanillaPathBits; } ''
	export PATH=/usr/bin:/bin

	mkdir -p $out/bin

	for bit in $vanillaPathBits; do
	echo looking for executables in "$bit"

	for exe in "$bit"/*; do
	exe=$(basename "$exe")
	echo found exe "$exe"

	cat > $out/bin/$exe <<EOF
	#!/usr/bin/env bash
	set -euo pipefail
	export PATH=${vanillaPath}:$PATH
	export HOME=/Users/nicolas/internet-identity/.home
	export CARGO_TARGET_X86_64_APPLE_DARWIN_RUSTFLAGS="-C link-arg=-L/nix/store/j93zvaiad3hc1kgypm4ixybfnc2k8j9i-libiconv-50/lib"
	export DYLD_FALLBACK_LIBRARY_PATH=/nix/store/j93zvaiad3hc1kgypm4ixybfnc2k8j9i-libiconv-50/lib
	export NIX_CFLAGS_LINK_x86_64_apple_darwin=-L/nix/store/j93zvaiad3hc1kgypm4ixybfnc2k8j9i-libiconv-50/lib

	export npm_config_cache=/Users/nicolas/internet-identity/.npm

	/usr/bin/sandbox-exec -f ${./profile.sb} $exe "\$@"
	EOF
	chmod +x "$out/bin/$exe"

	echo written "$out/bin/$exe"
	done
	done
	'';

	load = runCommand {} ''
	export PATH=/usr/bin:/bin

	cat > $out <<EOF
	export PATH=${final}/bin:\$PATH
	EOF
	'';

	in
	{ inherit final load unpack-rust-toolchain; }
	; adapt, not an exhaustive list but denying access to '/' breaks stuff
	; (mostly network surprisingly)

	(version 1)
	(allow default)
	(allow network*)
	(deny file* (subpath "/Users/nicolas"))
	(allow file-read-metadata (subpath "/Users/nicolas"))
	(allow file* (subpath "/Users/nicolas/internet-identity"))
	(deny file* (subpath "/Applications"))
	(deny file* (subpath "/Users/nicolas/Applications"))

	; not sure this is still required
	(allow file* (subpath "/Users/nicolas/Library/Caches/node-gyp"))