cargo: avoid using system curl on darwin

[al3xtjames]

Description of changes

Modern versions of macOS link the system-provided curl library against the system-provided libressl library. On recent versions of macOS, the system libressl library reads from /private/etc/ssl/openssl.cnf. As this path is not included in the default Nix sandbox profile, applications that use the system curl library will report a permission error.

This issue affects the bootstrap version of cargo and can be seen while building rustc for darwin with the sandbox enabled. This change works around the sandbox failure by using install_name_tool to patch the cargo binary to use curl provided by Nix, which was the approach used in oxalica/rust-overlay.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[winterqt]

Thank you!

I'm going to take a closer look at this at some point this week, but it may take me a bit to conduct a proper review, as I'd like to test this on multiple major macOS versions. (My main suspicion is that this may be a Sonoma issue, not a Ventura one as noted in the rust-overlay PR.)

[al3xtjames]

Sounds good. I'm not on Ventura so I can't comment on that, but I do see it on 14.4.1.

[winterqt]

The last times I built rustc on Ventura in a sandbox, I did not run into this issue, which makes me think it's a Sonoma thing and perhaps the original author just typo'd.

[winterqt]

I'm (finally) going to take some time to look into this either today or tomorrow, extremely sorry about the delay.

[al3xtjames]

No worries! FWIW I've been using a fork of nixpkgs-unstable with this PR on x86-64-darwin (currently 14.5) and haven't run into any issues.

[n8henrie]

I keep running into this -- seeing it currently on nixpkgs/master on 15.0.1 with a hello world.

$ nix build
error: builder for '/nix/store/x3sjibwjcswc1ba6pwgvq66cm4rxaknp-cargo-1.81.0.drv' failed with exit code 1;
       last 10 log lines:
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: configurePhase
       > Running phase: buildPhase
       > Executing cargoBuildHook
       > /private/tmp/nix-build-cargo-1.81.0.drv-0/rustc-1.81.0-src/src/tools/cargo /private/tmp/nix-build-cargo-1.81.0.drv-0/rustc-1.81.0-src
       > cargoBuildHook flags: -j 8 --target aarch64-apple-darwin --offline --profile release
       > Auto configuration failed
       > 8415638080:error:02FFF001:system library:func(4095):Operation not permitted:/AppleInternal/Library/BuildRoots/e0873e53-5185-11ef-9a51-9ab6d782fe32/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/cryp
to/bio/bss_file.c:122:fopen('/private/etc/ssl/openssl.cnf', 'rb')
       > 8415638080:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/AppleInternal/Library/BuildRoots/e0873e53-5185-11ef-9a51-9ab6d782fe32/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss
_file.c:127:
       > 8415638080:error:0EFFF002:configuration file routines:CRYPTO_internal:system lib:/AppleInternal/Library/BuildRoots/e0873e53-5185-11ef-9a51-9ab6d782fe32/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3
/crypto/conf/conf_def.c:202:
       For full logs, run 'nix log /nix/store/x3sjibwjcswc1ba6pwgvq66cm4rxaknp-cargo-1.81.0.drv'.
error: 1 dependencies of derivation '/nix/store/6n9hmr939cxz33jgzv2202c6lb5fs3az-auditable-cargo-1.81.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/vn99iixzmbma0lzwdwhgv03nlf1rapp9-cargo-build-hook.sh.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hw2hx3zykk35ap1wsabf4vh3vqy4fslp-cargo-auditable-0.6.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/jla48zs65pk5257714pm35yw9dfkyzpk-cargo-auditable-0.6.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/nfa5zkzhdk28lsnnavi34lqmvhf6mn9g-auditable-cargo-1.81.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/g8hnj40zvjkdn7dcaxbwg7cnb8jv092h-auditable-cargo-bootstrap-1.80.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/53vb7bmqrgzqzfj4a52w6ldj355vlc0z-foo-0.0.1.drv' failed to build
$ nix-info -m
 - system: `"aarch64-darwin"`
 - host os: `Darwin 24.0.0, macOS 15.0.1`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.8`
 - channels(n8henrie): `""`
 - channels(root): `""`
 - nixpkgs: `/nix/store/x2qbrd60nz1y86ha15k7mkc2i1d7xb37-source`

[FliegendeWurst]

This PR should target staging due to the number of rebuilds.