From ecdbc3b207eaec1a2cafd2a0d494bcbabdd60a11 Mon Sep 17 00:00:00 2001
From: Artemis Tosini <lix@artem.ist>
Date: Fri, 3 May 2024 00:56:30 +0000
Subject: [PATCH] libstore: check additionalSandboxProfile

Currently LocalDerivationGoal allows setting `__sandboxProfile`
to add sandbox parameters on Darwin when `sandbox=true`.
This was only supposed to have an effect when `sandbox=relaxed`

Change-Id: Ide44ee82d7e4d6b545285eab26547e7014817d3f
---
 src/libstore/build/local-derivation-goal.cc | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 84d3b4a73..03e33a46d 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -192,6 +192,7 @@ void LocalDerivationGoal::tryLocalBuild()
                 throw Error("derivation '%s' has '__noChroot' set, "
                     "but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
 #if __APPLE__
+            additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
             if (additionalSandboxProfile != "")
                 throw Error("derivation '%s' specifies a sandbox profile, "
                     "but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));
@@ -492,10 +493,6 @@ void LocalDerivationGoal::startBuilder()
             settings.thisSystem,
             concatStringsSep<StringSet>(", ", worker.store.systemFeatures));
 
-#if __APPLE__
-    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
-#endif
-
     /* Create a temporary directory where the build will take
        place. */
     tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);