nixpkgs/lib/sandbox.nix

with import ./strings.nix;

/* Helpers for creating lisp S-exprs for the Apple sandbox

lib.sandbox.allowFileRead [ "/usr/bin/file" ];
  # => "(allow file-read* (literal \"/usr/bin/file\"))";

lib.sandbox.allowFileRead {
  literal = [ "/usr/bin/file" ];
  subpath = [ "/usr/lib/system" ];
}
  # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
*/

let

sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
generateFileList = files:
  if builtins.isList files
    then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files
    else if builtins.isString files
      then generateFileList [ files ]
      else concatStringsSep " " (
        (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
        (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
      );
applyToFiles = f: act: files: f "${act} ${generateFileList files}";
genActions = actionName: let
  action = feature: sexp [ actionName feature ];
  self = {
    "${actionName}" = action;
    "${actionName}File" = applyToFiles action "file*";
    "${actionName}FileRead" = applyToFiles action "file-read*";
    "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
    "${actionName}DirectoryList" = self."${actionName}FileReadMetadata";
    "${actionName}FileWrite" = applyToFiles action "file-write*";
    "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
  };
  in self;

in

genActions "allow" // genActions "deny" // {
  importProfile = derivation: ''
    (import "${derivation}")
  '';
}
start on sandbox stuff 2015-11-07 01:44:02 +00:00			`with import ./strings.nix;`

			`/* Helpers for creating lisp S-exprs for the Apple sandbox`

			`lib.sandbox.allowFileRead [ "/usr/bin/file" ];`
			`# => "(allow file-read* (literal \"/usr/bin/file\"))";`

			`lib.sandbox.allowFileRead {`
			`literal = [ "/usr/bin/file" ];`
			`subpath = [ "/usr/lib/system" ];`
			`}`
			`# => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"`
			`*/`

			`let`

			`sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";`
			`generateFileList = files:`
			`if builtins.isList files`
use per-derivation sandbox profiles 2015-11-13 02:59:17 +00:00			`then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files`
			`else if builtins.isString files`
			`then generateFileList [ files ]`
			`else concatStringsSep " " (`
			`(map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++`
			`(map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))`
			`);`
start on sandbox stuff 2015-11-07 01:44:02 +00:00			`applyToFiles = f: act: files: f "${act} ${generateFileList files}";`
			`genActions = actionName: let`
			`action = feature: sexp [ actionName feature ];`
			`self = {`
			`"${actionName}" = action;`
			`"${actionName}File" = applyToFiles action "file*";`
			`"${actionName}FileRead" = applyToFiles action "file-read*";`
			`"${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";`
use per-derivation sandbox profiles 2015-11-13 02:59:17 +00:00			`"${actionName}DirectoryList" = self."${actionName}FileReadMetadata";`
start on sandbox stuff 2015-11-07 01:44:02 +00:00			`"${actionName}FileWrite" = applyToFiles action "file-write*";`
			`"${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";`
			`};`
			`in self;`

			`in`

use per-derivation sandbox profiles 2015-11-13 02:59:17 +00:00			`genActions "allow" // genActions "deny" // {`
			`importProfile = derivation: ''`
			`(import "${derivation}")`
			`'';`
			`}`