Darwin sandbox: allow accessing entire Nix store

Relaxes the sandbox profile on Darwin to allow access to the entire Nix
store instead of granting access to each (transitive) input dependency.

This approach is less hermetic and less restrictive (i.e., secure) but
prevents the following error without disabling sandboxing altogether:

```
sandbox-exec: pattern serialization length 67402 exceeds maximum (65535)
```

src/libstore/unix/build/local-derivation-goal.cc

@@ -2118,13 +2118,21 @@ void LocalDerivationGoal::runChild()
                             continue;
                         throw SysError("getting attributes of required path '%s", path);
                     }
-                    if (S_ISDIR(optSt->st_mode))
-                        sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
-                    else
-                        sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+                    /* Allow paths which are not below the Nix store directory */
+                    if (!path.starts_with(worker.store.storeDir)) {
+                        if (S_ISDIR(optSt->st_mode))
+                            sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+                        else
+                            sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+                    }
                 }
                 sandboxProfile += ")\n";
 
+                /* Allow accessing any path below the Nix store directory */
+                sandboxProfile += "(allow file-read* file-write* process-exec\n";
+                sandboxProfile += fmt("\t(regex #\"^%s/.*\")\n", worker.store.storeDir);
+                sandboxProfile += ")\n";
+
                 /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
                 sandboxProfile += "(allow file-read*\n";
                 for (auto & i : ancestry) {