From dc32d18e521e75f5be833bf5e8e5d980bb5211a3 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sun, 6 Oct 2024 21:02:23 +0100
Subject: [PATCH 1/2] lowdown: add flag to disable the Darwin sandbox
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a program written in a memory‐unsafe language that processes
potentially‐untrusted user input. We shouldn’t disable upstream’s
sandboxing mechanisms for all downstream consumers without good
reason.

Although the sandbox API is officially marked as deprecated, it is
used as the basis for the supported App Sandbox and it is extremely
unlikely to ever be removed as it is used extensively throughout
the OS for service hardening and by third parties like the Chrome
sandbox. Nix itself uses it to sandbox builds, and its lack of support
for nesting is why this caused problems in the first place. Instead,
introduce a `lowdown-unsandboxed` package that can be used in the
`nativeBuildInputs` of Nix builds, while keeping the sandboxed
version of the program for general use. The name might not be ideal,
as it remains identical to `lowdown` on non‐Darwin platforms,
but I couldn’t think of a better one.

See: #125004
Closes: #346933
---
 pkgs/tools/typesetting/lowdown/default.nix | 10 +++++++---
 pkgs/top-level/all-packages.nix            |  5 +++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/typesetting/lowdown/default.nix b/pkgs/tools/typesetting/lowdown/default.nix
index e898d73269641..7449be94e12ca 100644
--- a/pkgs/tools/typesetting/lowdown/default.nix
+++ b/pkgs/tools/typesetting/lowdown/default.nix
@@ -2,12 +2,13 @@
 , fetchpatch
 , enableShared ? !stdenv.hostPlatform.isStatic
 , enableStatic ? stdenv.hostPlatform.isStatic
+, enableDarwinSandbox ? true
 # for passthru.tests
 , nix
 }:
 
 stdenv.mkDerivation rec {
-  pname = "lowdown";
+  pname = "lowdown${lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed"}";
   version = "1.1.0";
 
   outputs = [ "out" "lib" "dev" "man" ];
@@ -54,7 +55,9 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ which dieHook ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ];
 
-  preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) ''
+  # The Darwin sandbox calls fail inside Nix builds, presumably due to
+  # being nested inside another sandbox.
+  preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) ''
     echo 'HAVE_SANDBOX_INIT=0' > configure.local
   '';
 
@@ -103,7 +106,8 @@ stdenv.mkDerivation rec {
     '';
 
   doInstallCheck = true;
-  installCheckPhase = ''
+
+  installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) ''
     runHook preInstallCheck
     echo '# TEST' > test.md
     $out/bin/lowdown test.md
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index f8cd809caae64..2ba0aea070f2e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5434,6 +5434,11 @@ with pkgs;
 
   lowdown = callPackage ../tools/typesetting/lowdown { };
 
+  # Less secure variant of lowdown for use inside Nix builds.
+  lowdown-unsandboxed = lowdown.override {
+    enableDarwinSandbox = false;
+  };
+
   numatop = callPackage ../os-specific/linux/numatop { };
 
   numworks-udev-rules = callPackage ../os-specific/linux/numworks-udev-rules { };

From b370a686cac3d414fbfa3246a74069e4d7fc39d2 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sun, 6 Oct 2024 21:02:23 +0100
Subject: [PATCH 2/2] treewide: use lowdown-unsandboxed where appropriate

---
 pkgs/applications/blockchains/clightning/default.nix | 4 ++--
 pkgs/by-name/ce/certspotter/package.nix              | 4 ++--
 pkgs/tools/package-management/lix/common.nix         | 3 ++-
 pkgs/tools/package-management/nix/common.nix         | 3 ++-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkgs/applications/blockchains/clightning/default.nix b/pkgs/applications/blockchains/clightning/default.nix
index 9f84685e8c105..6ed103a4b287b 100644
--- a/pkgs/applications/blockchains/clightning/default.nix
+++ b/pkgs/applications/blockchains/clightning/default.nix
@@ -8,7 +8,7 @@
 , automake
 , gettext
 , libtool
-, lowdown
+, lowdown-unsandboxed
 , protobuf
 , unzip
 , which
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
   # when building on darwin we need cctools to provide the correct libtool
   # as libwally-core detects the host as darwin and tries to add the -static
   # option to libtool, also we have to add the modified gsed package.
-  nativeBuildInputs = [ autoconf autogen automake gettext libtool lowdown protobuf py3 unzip which ]
+  nativeBuildInputs = [ autoconf autogen automake gettext libtool lowdown-unsandboxed protobuf py3 unzip which ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [ cctools darwin.autoSignDarwinBinariesHook ];
 
   buildInputs = [ gmp libsodium sqlite zlib jq ];
diff --git a/pkgs/by-name/ce/certspotter/package.nix b/pkgs/by-name/ce/certspotter/package.nix
index e40c580618494..72cb1e54c0b8f 100644
--- a/pkgs/by-name/ce/certspotter/package.nix
+++ b/pkgs/by-name/ce/certspotter/package.nix
@@ -1,7 +1,7 @@
 { lib
 , fetchFromGitHub
 , buildGoModule
-, lowdown
+, lowdown-unsandboxed
 }:
 
 buildGoModule rec {
@@ -19,7 +19,7 @@ buildGoModule rec {
 
   ldflags = [ "-s" "-w" ];
 
-  nativeBuildInputs = [ lowdown ];
+  nativeBuildInputs = [ lowdown-unsandboxed ];
 
   postInstall = ''
     cd man
diff --git a/pkgs/tools/package-management/lix/common.nix b/pkgs/tools/package-management/lix/common.nix
index dd1580bc43365..521c27b7e7bcf 100644
--- a/pkgs/tools/package-management/lix/common.nix
+++ b/pkgs/tools/package-management/lix/common.nix
@@ -39,6 +39,7 @@ assert (hash == null) -> (src != null);
   libcpuid,
   libsodium,
   lowdown,
+  lowdown-unsandboxed,
   lsof,
   mercurial,
   mdbook,
@@ -119,7 +120,7 @@ stdenv.mkDerivation {
     ]
     ++ lib.optionals isLegacyParser [ bison ]
     ++ lib.optionals enableDocumentation [
-      (lib.getBin lowdown)
+      (lib.getBin lowdown-unsandboxed)
       mdbook
       mdbook-linkcheck
       doxygen
diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix
index c26cb410399de..4d04cbb6274d7 100644
--- a/pkgs/tools/package-management/nix/common.nix
+++ b/pkgs/tools/package-management/nix/common.nix
@@ -59,6 +59,7 @@ in
 , libxml2
 , libxslt
 , lowdown
+, lowdown-unsandboxed
 , toml11
 , man
 , mdbook
@@ -122,7 +123,7 @@ self = stdenv.mkDerivation {
     docbook_xsl_ns
     docbook5
   ] ++ lib.optionals (enableDocumentation && atLeast24) [
-    (lib.getBin lowdown)
+    (lib.getBin lowdown-unsandboxed)
     mdbook
   ] ++ lib.optionals (atLeast213 && enableDocumentation) [
     mdbook-linkcheck