From 0ccbce17a8ff31d6d7925eb3533e83cacd5b1359 Mon Sep 17 00:00:00 2001
From: Pierre-Etienne Meunier <pe@pijul.org>
Date: Wed, 26 Feb 2025 12:02:53 +0100
Subject: [PATCH] Fix macos sandbox issue

---
 src/libstore/unix/build/local-derivation-goal.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 5ee187dd995..d1d505c664c 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2148,12 +2148,13 @@ void LocalDerivationGoal::runChild()
             // We create multiple allow lists, to avoid exceeding a limit in the darwin sandbox interpreter.
             // See https://github.com/NixOS/nix/issues/4119
             // We split our allow groups approximately at half the actual limit, 1 << 16
-            int initialLen = sandboxProfile.length();
+            int breakpoint = sandboxProfile.length() + (3 << 14);
             for (auto & i : pathsInChroot) {
 
-                if (sandboxProfile.length() - initialLen > (1 << 15)) {
+                if (sandboxProfile.length() >= breakpoint) {
+                    debug("Sandbox break: %d %d", sandboxProfile.length(), breakpoint);
                     sandboxProfile += ")\n(allow file-read* file-write* process-exec\n";
-                    initialLen = sandboxProfile.length();
+                    breakpoint = sandboxProfile.length() + 256;
                 }
 
                 if (i.first != i.second.source)