switch to zero underscores for sandbox profiles; remove generateFrameworkProfile

pkgs/applications/editors/vim/default.nix

@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
     ];
   };
 
-  _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx";
+  sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx";
 
   # To fix the trouble in vim73, that it cannot cross-build with this patch
   # to bypass a configure script check that cannot be done cross-building.

pkgs/applications/version-management/git-and-tools/git/default.nix

@@ -37,7 +37,7 @@ stdenv.mkDerivation {
   NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s";
 
   # without this, git fails when trying to check for /etc/gitconfig existence
-  _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc";
+  propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc";
 
   makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} "
       + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1")

pkgs/development/interpreters/perl/5.20/default.nix

@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
       --replace "/bin/pwd" "$pwd"
   '';
 
-  _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";
+  sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";
 
   # Build a thread-safe Perl with a dynamic libperls.o.  We need the
   # "installstyle" option to ensure that modules are put under

pkgs/os-specific/darwin/apple-sdk/default.nix

@@ -1,7 +1,6 @@
 { stdenv, fetchurl, xar, gzip, cpio, pkgs }:
 
 let
-  generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {};
   # sadly needs to be exported because security_tool needs it
   sdk = stdenv.mkDerivation rec {
     version = "10.9";
@@ -97,11 +96,11 @@ let
     propagatedBuildInputs = deps;
 
     # allows building the symlink tree
-    _sandboxProfile = ''
+    sandboxProfile = ''
       (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework"))
     '';
 
-    _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name);
+    __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}";
 
     meta = with stdenv.lib; {
       description = "Apple SDK framework ${name}";
@@ -165,7 +164,7 @@ in rec {
     });
 
     CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: {
-      _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ [''
+      __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ [''
         (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))
       ''];
     });
@@ -182,5 +181,5 @@ in rec {
 
   frameworks = bareFrameworks // overrides bareFrameworks;
 
-  inherit sdk generateFrameworkProfile;
+  inherit sdk;
 }

pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix

@@ -1,64 +0,0 @@
-{ runCommand }:
-
-# In a normal programming language, one might store a hashmap
-# { library name -> runtime dependencies }.
-# associative arrays were only recently added to bash, and even then, bash arrays cannot
-# be multidimensional. instead, the filesystem is the hash table!
-# once every dependency in the tree has been visited, a comprehensive list of libraries
-# will exist inside ./build. then `find ./build -type f` will give you the
-# dependency tree you need!
-
-frameworkName:
-
-let path = "/System/Library/Frameworks/${frameworkName}.framework";
-
-in runCommand "${frameworkName}-profile.sb" {
-  # __noChroot lite
-  _sandboxProfile = ''
-    (allow file* (subpath "/"))
-  '';
-
-  # inconsistencies may exist between self and hydra
-  allowSubstitutes = false;
-} ''
-  if [ ! -f "${path}/${frameworkName}" ]; then
-    touch $out
-    exit
-  fi
-  base=./build
-  find_deps () {
-    if [ -f "$base/$1" ]; then
-      return
-    fi
-    dependencies=$(otool -l -arch x86_64 $1 \
-      | grep 'LC_\w*_DYLIB' -A 2 \
-      | grep name \
-      | sed 's/^ *//' \
-      | cut -d' ' -f2)
-    mkdir -p $base/"$(dirname "$1")"
-    touch $base/"$1"
-    for dep in $dependencies; do
-      find_deps "$dep"
-    done
-  }
-  find_deps "${path}/${frameworkName}" "$out"
-  set -o noglob
-  profile="(allow file-read*"
-  for file in $(find $base -type f); do
-    filename=''${file/$base/}
-    case $filename in
-      /usr/lib/system*) ;;
-      /usr/lib/libSystem.dylib) ;;
-      /usr/lib/libSystem.B.dylib) ;;
-      /usr/lib/libobjc.A.dylib) ;;
-      /usr/lib/libobjc.dylib) ;;
-      /usr/lib/libauto.dylib) ;;
-      /usr/lib/libc++abi.dylib) ;;
-      /usr/lib/libDiagnosticMessagesClient.dylib) ;;
-      *) profile+=" (literal \"$filename\")" ;;
-    esac
-  done
-  profile+=" (literal \"${path}/${frameworkName}\")"
-  profile+=" (literal \"${path}/Versions/Current\")"
-  echo "$profile)" > $out
-''

pkgs/os-specific/darwin/apple-source-releases/CF/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }:
+{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }:
 
 # this project uses blocks, a clang-only extension
 assert stdenv.cc.isClang;
@@ -8,7 +8,7 @@ appleDerivation {
 
   patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ];
 
-  _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation");
+  __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation";
 
   preBuild = ''
     substituteInPlace Makefile \

pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix

@@ -81,7 +81,7 @@ in appleDerivation {
   ];
 
   # ps uses this syscall to get process info
-  _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";
+  propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";
 
   meta = {
     platforms = stdenv.lib.platforms.darwin;

pkgs/os-specific/darwin/apple-source-releases/configd/default.nix

@@ -7,7 +7,7 @@ appleDerivation {
 
   propagatedBuildInputs = [ Security ];
 
-  _propagatedSandboxProfile = ''
+  propagatedSandboxProfile = ''
     (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
   '';
 

pkgs/os-specific/darwin/apple-source-releases/default.nix

@@ -54,11 +54,9 @@ let
     inherit (adv_cmds) ps locale;
     architecture    = applePackage "architecture"      "265"         "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {};
     bootstrap_cmds  = applePackage "bootstrap_cmds"    "86"          "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {};
-    bsdmake         = applePackage "bsdmake"           "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
+    bsdmake         = applePackage "bsdmake"           "24"          "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
     CarbonHeaders   = applePackage "CarbonHeaders"     "9A581"       "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {};
-    CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {
+    CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {};
-      inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile;
-    };
     CommonCrypto    = applePackage "CommonCrypto"      "60049"       "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {};
     configd         = applePackage "configd"           "453.19"      "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {};
     copyfile        = applePackage "copyfile"          "103.92.1"    "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {};

pkgs/stdenv/generic/default.nix

@@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , extraBuildInputs ? []
 , __stdenvImpureHostDeps ? []
 , __extraImpureHostDeps ? []
-, _stdenvSandboxProfile ? ""
+, stdenvSandboxProfile ? ""
-, _extraSandboxProfile ? ""
+, extraSandboxProfile ? ""
 }:
 
 let
@@ -102,8 +102,8 @@ let
     , outputs ? [ "out" ]
     , __impureHostDeps ? []
     , __propagatedImpureHostDeps ? []
-    , _sandboxProfile ? ""
+    , sandboxProfile ? ""
-    , _propagatedSandboxProfile ? ""
+    , propagatedSandboxProfile ? ""
     , ... } @ attrs:
     let
       pos' =
@@ -154,12 +154,12 @@ let
         (removeAttrs attrs
           ["meta" "passthru" "crossAttrs" "pos"
            "__impureHostDeps" "__propagatedImpureHostDeps"
-           "_sandboxProfile" "_propagatedSandboxProfile"])
+           "sandboxProfile" "propagatedSandboxProfile"])
         // (let
           computedSandboxProfile =
-            lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs);
+            lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs);
           computedPropagatedSandboxProfile =
-            lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs);
+            lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs);
         in
         {
           builder = attrs.realBuilder or shell;
@@ -178,11 +178,11 @@ let
             (if crossConfig == null then propagatedBuildInputs else []);
         } // ifDarwin {
           # TODO: remove lib.unique once nix has a list canonicalization primitive
-          _sandboxProfile =
+          __sandboxProfile =
-          let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ];
+          let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
               final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
           in final;
-          _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]);
+          __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
         } // (if outputs' != [ "out" ] then {
           outputs = outputs';
         } else { })))) (
@@ -219,7 +219,7 @@ let
       inherit preHook initialPath shell defaultNativeBuildInputs;
     }
     // ifDarwin {
-      _sandboxProfile = _stdenvSandboxProfile;
+      __sandboxProfile = stdenvSandboxProfile;
     })
 
     // rec {

pkgs/stdenv/pure-darwin/default.nix

@@ -50,7 +50,7 @@ in rec {
 
     inherit (bootstrapFiles) mkdir bzip2 cpio;
 
-    _sandboxProfile = binShClosure + libSystemProfile;
+    __sandboxProfile = binShClosure + libSystemProfile;
   };
 
   stageFun = step: last: {shell             ? "${bootstrapTools}/bin/sh",
@@ -93,8 +93,8 @@ in rec {
         };
 
         # The stdenvs themselves don't use mkDerivation, so I need to specify this here
-        _stdenvSandboxProfile = binShClosure + libSystemProfile;
+        stdenvSandboxProfile = binShClosure + libSystemProfile;
-        _extraSandboxProfile  = binShClosure + libSystemProfile;
+        extraSandboxProfile  = binShClosure + libSystemProfile;
 
         extraAttrs = { inherit platform; };
         overrides  = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; };
@@ -269,8 +269,8 @@ in rec {
       export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
     '';
 
-    _stdenvSandboxProfile = binShClosure + libSystemProfile;
+    stdenvSandboxProfile = binShClosure + libSystemProfile;
-    _extraSandboxProfile  = binShClosure + libSystemProfile;
+    extraSandboxProfile  = binShClosure + libSystemProfile;
 
     initialPath = import ../common-path.nix { inherit pkgs; };
     shell       = "${pkgs.bash}/bin/bash";