It looks like Xcode got an update recently. I was also able to reproduce locally.
I was able to fix it by applying the following change to ~/.opam/opam-init/hooks/sandbox.sh:
diff --git a/src/state/shellscripts/sandbox_exec.sh b/src/state/shellscripts/sandbox_exec.sh
index 0703721f3..6b27563db 100644
--- a/src/state/shellscripts/sandbox_exec.sh
+++ b/src/state/shellscripts/sandbox_exec.sh
@@ -7,7 +7,7 @@ set -ue
POL='(version 1)(allow default)(deny network*)(deny file-write*)'
POL="$POL"'(allow network* (remote unix))'
POL="$POL"'(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))'
-POL="$POL"'(allow file-write* (regex #"^(/private)?(/var)?/tmp/"))'
+POL="$POL"'(allow file-write* (regex #"^(/private)?(/var)?/tmp/" #"^(/private)?/var/folders/" #"^(/private)?/var/db/mds/"))'
add_mounts() {
if [ -d "$2" ]; then
This is a copy of what macports does. I’m not entirely sure if it makes the sandbox too permissive or not (previous discussions and bug-reports to Apple were inconclusive) but it looks like we’ll need to apply something of the sort and make a point release of opam tomorrow to fix that.