lowdown: add flag to disable the Darwin sandbox (#346945)

pkgs/applications/blockchains/clightning/default.nix

@@ -8,7 +8,7 @@
 , automake
 , gettext
 , libtool
-, lowdown
+, lowdown-unsandboxed
 , protobuf
 , unzip
 , which
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
   # when building on darwin we need cctools to provide the correct libtool
   # as libwally-core detects the host as darwin and tries to add the -static
   # option to libtool, also we have to add the modified gsed package.
-  nativeBuildInputs = [ autoconf autogen automake gettext libtool lowdown protobuf py3 unzip which ]
+  nativeBuildInputs = [ autoconf autogen automake gettext libtool lowdown-unsandboxed protobuf py3 unzip which ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [ cctools darwin.autoSignDarwinBinariesHook ];
 
   buildInputs = [ gmp libsodium sqlite zlib jq ];

pkgs/by-name/ce/certspotter/package.nix

@@ -1,7 +1,7 @@
 { lib
 , fetchFromGitHub
 , buildGoModule
-, lowdown
+, lowdown-unsandboxed
 }:
 
 buildGoModule rec {
@@ -19,7 +19,7 @@ buildGoModule rec {
 
   ldflags = [ "-s" "-w" ];
 
-  nativeBuildInputs = [ lowdown ];
+  nativeBuildInputs = [ lowdown-unsandboxed ];
 
   postInstall = ''
     cd man

pkgs/tools/package-management/lix/common.nix

@@ -39,6 +39,7 @@ assert (hash == null) -> (src != null);
   libcpuid,
   libsodium,
   lowdown,
+  lowdown-unsandboxed,
   lsof,
   mercurial,
   mdbook,
@@ -119,7 +120,7 @@ stdenv.mkDerivation {
     ]
     ++ lib.optionals isLegacyParser [ bison ]
     ++ lib.optionals enableDocumentation [
-      (lib.getBin lowdown)
+      (lib.getBin lowdown-unsandboxed)
       mdbook
       mdbook-linkcheck
       doxygen

pkgs/tools/package-management/nix/common.nix

@@ -59,6 +59,7 @@ in
 , libxml2
 , libxslt
 , lowdown
+, lowdown-unsandboxed
 , toml11
 , man
 , mdbook
@@ -122,7 +123,7 @@ self = stdenv.mkDerivation {
     docbook_xsl_ns
     docbook5
   ] ++ lib.optionals (enableDocumentation && atLeast24) [
-    (lib.getBin lowdown)
+    (lib.getBin lowdown-unsandboxed)
     mdbook
   ] ++ lib.optionals (atLeast213 && enableDocumentation) [
     mdbook-linkcheck

pkgs/tools/typesetting/lowdown/default.nix

@@ -2,12 +2,13 @@
 , fetchpatch
 , enableShared ? !stdenv.hostPlatform.isStatic
 , enableStatic ? stdenv.hostPlatform.isStatic
+, enableDarwinSandbox ? true
 # for passthru.tests
 , nix
 }:
 
 stdenv.mkDerivation rec {
-  pname = "lowdown";
+  pname = "lowdown${lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed"}";
   version = "1.1.0";
 
   outputs = [ "out" "lib" "dev" "man" ];
@@ -54,7 +55,9 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ which dieHook ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ];
 
-  preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) ''
+  # The Darwin sandbox calls fail inside Nix builds, presumably due to
+  # being nested inside another sandbox.
+  preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) ''
     echo 'HAVE_SANDBOX_INIT=0' > configure.local
   '';
 
@@ -103,7 +106,8 @@ stdenv.mkDerivation rec {
     '';
 
   doInstallCheck = true;
-  installCheckPhase = ''
+
+  installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) ''
     runHook preInstallCheck
     echo '# TEST' > test.md
     $out/bin/lowdown test.md

pkgs/top-level/all-packages.nix

@@ -5426,6 +5426,11 @@ with pkgs;
 
   lowdown = callPackage ../tools/typesetting/lowdown { };
 
+  # Less secure variant of lowdown for use inside Nix builds.
+  lowdown-unsandboxed = lowdown.override {
+    enableDarwinSandbox = false;
+  };
+
   numatop = callPackage ../os-specific/linux/numatop { };
 
   numworks-udev-rules = callPackage ../os-specific/linux/numworks-udev-rules { };