nix: fix macOS sandbox escape via builtin builders

fixes
GHSA-wf4c-57rh-9pjg

(cherry picked from commit 2f6dc5c)

pkgs/tools/package-management/nix/common.nix

@@ -16,6 +16,7 @@ let
   atLeast210 = lib.versionAtLeast version "2.10pre";
   atLeast213 = lib.versionAtLeast version "2.13pre";
   atLeast214 = lib.versionAtLeast version "2.14pre";
+  atLeast218 = lib.versionAtLeast version "2.18pre";
   atLeast219 = lib.versionAtLeast version "2.19pre";
   atLeast220 = lib.versionAtLeast version "2.20pre";
   atLeast221 = lib.versionAtLeast version "2.21pre";
@@ -42,6 +43,7 @@ in
 , callPackage
 , coreutils
 , curl
+, darwin
 , docbook_xsl_ns
 , docbook5
 , editline
@@ -150,6 +152,8 @@ self = stdenv.mkDerivation {
     libseccomp
   ] ++ lib.optionals withAWS [
     aws-sdk-cpp
+  ] ++ lib.optional (atLeast218 && stdenv.hostPlatform.isDarwin) [
+    darwin.apple_sdk.libs.sandbox
   ];
 
   installCheckInputs = lib.optionals atLeast221 [

pkgs/tools/package-management/nix/default.nix

@@ -176,42 +176,85 @@ in lib.makeExtensible (self: ({
     version = "2.18.8";
     hash = "sha256-0rHRifdjzzxMh/im8pRx6XoY62irDTDUes+Pn0CR65I=";
     self_attribute_name = "nix_2_18";
+    patches = [
+      ./patches/2_18/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_18/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_18/0003-local-derivation-goal-Refactor.patch
+      ./patches/2_18/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   };
 
   nix_2_19 = common {
     version = "2.19.6";
     hash = "sha256-XT5xiwOLgXf+TdyOjbJVOl992wu9mBO25WXHoyli/Tk=";
     self_attribute_name = "nix_2_19";
+    patches = [
+      ./patches/2_19/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_19/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_19/0003-local-derivation-goal-Refactor.patch
+      ./patches/2_19/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   };
 
   nix_2_20 = common {
     version = "2.20.8";
     hash = "sha256-M2tkMtjKi8LDdNLsKi3IvD8oY/i3rtarjMpvhybS3WY=";
     self_attribute_name = "nix_2_20";
+    patches = [
+      ./patches/2_20/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_20/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_20/0003-local-derivation-goal-Refactor.patch
+      ./patches/2_20/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   };
 
   nix_2_21 = common {
     version = "2.21.4";
     hash = "sha256-c6nVZ0pSrfhFX3eVKqayS+ioqyAGp3zG9ZPO5rkXFRQ=";
     self_attribute_name = "nix_2_21";
+    patches = [
+      ./patches/2_21/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_21/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_21/0003-local-derivation-goal-Refactor.patch
+      ./patches/2_21/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   };
 
   nix_2_22 = common {
     version = "2.22.3";
     hash = "sha256-l04csH5rTWsK7eXPWVxJBUVRPMZXllFoSkYFTq/i8WU=";
     self_attribute_name = "nix_2_22";
+    patches = [
+      ./patches/2_22/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_22/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_22/0003-local-derivation-goal-Refactor.patch
+      ./patches/2_22/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   };
 
   nix_2_23 = common {
     version = "2.23.3";
     hash = "sha256-lAoLGVIhRFrfgv7wcyduEkyc83QKrtsfsq4of+WrBeg=";
     self_attribute_name = "nix_2_23";
+    patches = [
+      ./patches/2_23/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_23/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_23/0003-local-derivation-goal-Refactor.patch
+      ./patches/2_23/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   };
 
   nix_2_24 = (common {
     version = "2.24.8";
     hash = "sha256-YPJA0stZucs13Y2DQr3JIL6JfakP//LDbYXNhic/rKk=";
     self_attribute_name = "nix_2_24";
+    patches = [
+      ./patches/2_24/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/2_24/0002-packaging-Add-darwin-lsandbox-in-meson.patch
+      ./patches/2_24/0003-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/2_24/0004-local-derivation-goal-Refactor.patch
+      ./patches/2_24/0005-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
   }).override (lib.optionalAttrs (stdenv.isDarwin && stdenv.isx86_64) {
     # Fix the following error with the default x86_64-darwin SDK:
     #
@@ -232,6 +275,14 @@ in lib.makeExtensible (self: ({
       rev = "ca3fc1693b309ab6b8b0c09408a08d0055bf0363";
       hash = "sha256-Hp7dkx7zfB9a4l5QusXUob0b1T2qdZ23LFo5dcp3xrU=";
     };
+    patches = [
+      ./patches/git/0001-Fix-meson-build-on-darwin.patch
+      ./patches/git/0002-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
+      ./patches/git/0003-packaging-Add-darwin-lsandbox-in-meson.patch
+      ./patches/git/0004-local-derivation-goal-Print-sandbox-error-detail-on-.patch
+      ./patches/git/0005-local-derivation-goal-Refactor.patch
+      ./patches/git/0006-local-derivation-goal-Move-builder-preparation-to-no.patch
+    ];
     self_attribute_name = "git";
   }).override (lib.optionalAttrs (stdenv.isDarwin && stdenv.isx86_64) {
     # Fix the following error with the default x86_64-darwin SDK: