Sandbox for manifests and plugins should block /tmp and instead provide a unique path specified by TMPDIR

The `/tmp` temporary directory is particularly unsafe because it is noisy — various processes with various ownerships write and read files there.  So it's better to use the per-user directory returned by `NSTemporaryDirectory()`.

We can improve several things here by passing through the result of calling `NSTemporaryDirectory()` in the sandbox instead of `/tmp`, and also `TMPDIR` in the environment (regardless of whether or not it was set in the inherited one).  This will cause the inferior's use of Foundation to respect this directory (the implementation of `NSTemporaryDirectory()` looks at `TMPDIR` on all platforms), and that should also be true for any command line tools it calls, as long as it passes through the environment.

Note: if `TMPDIR` happens to be set in SwiftPM's own environment, it will control SwiftPM's own uses of `NSTemporaryDirectory()`, so the callers `TMPDIR` will be respected all the way through (down to manifests and plugins).

rdar://91575256

Author: abertelrud

Sources/Build/BuildOperation.swift

@@ -560,8 +560,17 @@ public final class BuildOperation: PackageStructureDelegate, SPMBuildCore.BuildS
                         .writable(try self.fileSystem.tempDirectory)])
                     commandLine = try sandboxProfile.apply(to: commandLine)
                 }
-                let processResult = try TSCBasic.Process.popen(arguments: commandLine, environment: command.configuration.environment)
+
+                // Pass `TMPDIR` in the environment, in addition to anything the plugin specifies, in case we have an
+                // override in our own environment.
+                var environment = command.configuration.environment
+                environment["TMPDIR"] = try self.fileSystem.tempDirectory.pathString
+
+                // Run the command and wait for it to finish.
+                let processResult = try Process.popen(arguments: commandLine, environment: environment)
                 let output = try processResult.utf8Output() + processResult.utf8stderrOutput()
+
+                // Throw an error if it failed.
                 if processResult.exitStatus != .terminated(code: 0) {
                     throw StringError("failed: \(command)\n\n\(output)")
                 }

Sources/Build/LLBuildManifestBuilder.swift

@@ -629,13 +629,19 @@ extension LLBuildManifestBuilder {
                         .writable(try self.fileSystem.tempDirectory)])
                     commandLine = try sandboxProfile.apply(to: commandLine)
                 }
+
+                // Pass `TMPDIR` in the environment, in addition to anything the plugin specifies, in case we have an
+                // override in our own environment.
+                var environment = command.configuration.environment
+                environment["TMPDIR"] = try self.fileSystem.tempDirectory.pathString
+
                 manifest.addShellCmd(
                     name: displayName + "-" + ByteString(encodingAsUTF8: uniquedName).sha256Checksum,
                     description: displayName,
                     inputs: command.inputFiles.map{ .file($0) },
                     outputs: command.outputFiles.map{ .file($0) },
                     arguments: commandLine,
-                    environment: command.configuration.environment,
+                    environment: environment,
                     workingDirectory: command.configuration.workingDirectory?.pathString)
             }
         }

Sources/PackageLoading/ManifestLoader.swift

@@ -662,13 +662,22 @@ public final class ManifestLoader: ManifestLoaderProtocol {
                             }
                         }
 
-                        // Run the compiled manifest.
+                        // Set up the environment so that the manifest inherits our own environment, but make sure that
+                        // `TMPDIR` is set to whatever the temporary directory is that is allowed in the sandbox.
                         var environment = ProcessEnv.vars
+                        do {
+                            environment["TMPDIR"] = try localFileSystem.tempDirectory.pathString
+                        } catch {
+                            return completion(.failure(error))
+                        }
+
+                        // On Windows, also make sure that the `Path` is set up correctly in the environment.
                         #if os(Windows)
                         let windowsPathComponent = runtimePath.pathString.replacingOccurrences(of: "/", with: "\\")
                         environment["Path"] = "\(windowsPathComponent);\(environment["Path"] ?? "")"
                         #endif
 
+                        // Run the compiled manifest.
                         let cleanupAfterRunning = cleanupIfError.delay()
                         TSCBasic.Process.popen(arguments: cmd, environment: environment, queue: callbackQueue) { result in
                             dispatchPrecondition(condition: .onQueue(callbackQueue))

Sources/Workspace/DefaultPluginScriptRunner.swift

@@ -463,6 +463,16 @@ public struct DefaultPluginScriptRunner: PluginScriptRunner, Cancellable {
 #endif
         process.currentDirectoryURL = workingDirectory.asURL
 
+        // Pass `TMPDIR` in the environment, in addition to anything the plugin specifies. This lets us respect our own
+        // override, and also makes sure that the plugin always knows what temporary directory we opened up for it.
+        var environment = ProcessInfo.processInfo.environment
+        do {
+            environment["TMPDIR"] = try localFileSystem.tempDirectory.pathString
+        } catch {
+            return completion(.failure(error))
+        }
+        process.environment = environment
+
         // Set up a pipe for sending structured messages to the plugin on its stdin.
         let stdinPipe = Pipe()
         let outputHandle = stdinPipe.fileHandleForWriting