flake: fix sandboxed builds

disable sandboxing when we symlink the platform Xcode

flake.nix

@@ -23,16 +23,18 @@
 		};
 	};
 	outputs = { self, nixpkgs, acextract, command-line, dsc-extractor, snapshot-header, snap-util }: {
-		packages.x86_64-darwin = {
+		packages.x86_64-darwin = let
+			xcode = (nixpkgs.legacyPackages.x86_64-darwin.xcodeenv.composeXcodeWrapper {
+				version = "14.3";
+			}).overrideAttrs (attrs: { __noChroot = true; });
+		in {
 			acextract =
 				with import nixpkgs { system = "x86_64-darwin"; };
-				let xcode = makeSetupHook {
-					deps = [ (xcodeenv.composeXcodeWrapper { version = "14.3"; }) ];
-				} "${xcbuildHook}/nix-support/setup-hook";
+				let xcodeHook = makeSetupHook {	deps = [ xcode ]; } "${xcbuildHook}/nix-support/setup-hook";
 				in stdenv.mkDerivation {
 					name = "acextract-${lib.substring 0 8 self.inputs.acextract.lastModifiedDate}";
 					src = acextract;
-					nativeBuildInputs = [ xcode ];
+					nativeBuildInputs = [ xcodeHook ];
 					preBuild = "LD=$CC";
 					# FIXME: want to have submodule support for Nix flakes, workaround by explicit instantiation
 					postUnpack = "rmdir source/CommandLine ; ln -s ${command-line} source/CommandLine";
@@ -75,6 +77,7 @@
 						cp Products/Release/acextract $out/bin/
 					'';
 					dontStrip = true;
+					__noChroot = true;
 				};
 			dsc-extractor =
 				with import nixpkgs { system = "x86_64-darwin"; };
@@ -88,7 +91,7 @@
 				stdenv.mkDerivation {
 					name = "snap-util-${lib.substring 0 8 self.inputs.snap-util.lastModifiedDate}";
 					src = snap-util;
-					nativeBuildInputs = [ (xcodeenv.composeXcodeWrapper { version = "14.3"; }) ];
+					nativeBuildInputs = [ xcode ];
 					preBuild = "NIX_CFLAGS_COMPILE='-idirafter ${snapshot-header}/bsd'";
 					installPhase = ''
 						mkdir -p $out/bin
@@ -122,6 +125,7 @@
 						EOF
 						codesign -s - --entitlement snapUtil.entitlements $out/bin/.snapUtil-wrapped
 					'';
+					__noChroot = true;
 				};
 		};
 	};