cargo: avoid using system curl on darwin

Modern versions of macOS link the system-provided curl library against
the system-provided libressl library. On recent versions of macOS, the
system libressl library reads from /private/etc/ssl/openssl.cnf. As this
path is not included in the default Nix sandbox profile, applications
that use the system curl library will report a permission error [1].

This issue affects the bootstrap version of cargo and can be seen while
building rustc for darwin with the sandbox enabled [2]. This change
works around the sandbox failure by using install_name_tool to patch the
cargo binary to use curl provided by Nix, which was the approach used in
oxalica/rust-overlay [3].

[1]: https://github.com/NixOS/nix/issues/9625
[2]: https://gist.github.com/al3xtjames/06bf71ceffd745eef20be8ce03b982c5
[3]: https://github.com/oxalica/rust-overlay/pull/149

pkgs/development/compilers/rust/binary.nix

@@ -124,7 +124,10 @@ rec {
       patchShebangs ./install.sh
       ./install.sh --prefix=$out \
         --components=cargo
-
+    '' + lib.optionalString stdenv.hostPlatform.isDarwin ''
+      install_name_tool -change "/usr/lib/libcurl.4.dylib" \
+        "${curl.out}/lib/libcurl.4.dylib" "$out/bin/cargo"
+    '' + ''
       wrapProgram "$out/bin/cargo" \
         --suffix PATH : "${rustc}/bin"
     '';