Honestly, I would rather do less fakeroot than more. It’s pretty cursed. I’d like to get to the point where sandbox = true can build things reliably enough to be on by default, through improvements in both the default sandbox profile and in Nixpkgs, since sandbox profiles in derivations are a huge hole in the security model. NixOS/nix#10878 seems like a mistake to me, as it is yet another side channel for derivation builds to communicate with each other and the outside world:

{
  runCommandCC,
  role,
}:
    
let
  src = ''
    #include <stdlib.h>
    #include <string.h>
    #include <stdio.h>
    #include <sys/ipc.h>
    #include <sys/msg.h>

    struct message {
        long type;
        char text[64];
    };

    int main(int argc, char **argv)
    {
        int queue = msgget(1234, IPC_CREAT | 0666);
        if (strcmp(argv[1], "server") == 0) {
            if (msgsnd(queue, &(struct message){
                .type = 1,
                .text = "hi",
            }, sizeof("hi"), 0) < 0) abort();
        } else {
            struct message m;
            if (msgrcv(queue, &m, 64, 1, 0) < 0) abort();
            puts(m.text);
        }
    }
  '';
in

runCommandCC "sysv-ipc-test" {
  sandboxProfile = "(allow ipc-sysv*)";
} ''
  cc ${builtins.toFile "test.c" src}
  ./a.out ${role}
''

It looks like fakeroot can be used with loopback TCP, which should work in combination with __darwinAllowLocalNetworking, but it would really be ideal if it could use Unix sockets instead… but I’d still lean towards less test coverage over fakeroot in many cases, since you’re not exactly testing against the real operating system API.

Switched to git format-patch format; merging.

Yeah, that makes sense - that example is pretty illustrative. It seems like patching tests which fail in the sandbox (or disabling them, if that's not possible) should be preferred to setting a sandboxProfile. I'll update my open PRs to do this.

I think it depends – there are some cases where there doesn’t seem to be any good reason not to allow access to something by default (e.g. the OS‐provided fonts, to allow CoreText‐using tests to work), and in that case I think the default sandbox profile should be fixed but that it’s fine to use sandboxProfile to work around it in the meantime. However I would like to move in a direction of the macOS sandbox being an actual security/isolation boundary of some sort, and not allowing communication unless we really have to is a sensible part of that. Currently builds can still access the global /tmp, but I am hoping we can gradually fix that.

Feel free to ping me on macOS sandbox–related PRs, though my responsiveness is unreliable so no need to block on it.