Enable sandboxing by default

Closes #179.
NixOS · Nov 7, 2018 · 812e393 · 812e393 · copumpkin · Nov 7, 2018
1 parent 5a3f140
commit 812e393
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 10 deletions.
diff --git a/doc/manual/release-notes/release-notes.xml b/doc/manual/release-notes/release-notes.xml
@@ -12,6 +12,7 @@
 </partintro>
 -->
 
+<xi:include href="rl-2.3.xml" />
 <xi:include href="rl-2.2.xml" />
 <xi:include href="rl-2.1.xml" />
 <xi:include href="rl-2.0.xml" />

diff --git a/doc/manual/release-notes/rl-2.3.xml b/doc/manual/release-notes/rl-2.3.xml
@@ -0,0 +1,19 @@
+<section xmlns="http://docbook.org/ns/docbook"
+      xmlns:xlink="http://www.w3.org/1999/xlink"
+      xmlns:xi="http://www.w3.org/2001/XInclude"
+      version="5.0"
+      xml:id="ssec-relnotes-2.3">
+
+<title>Release 2.3 (2019-??-??)</title>
+
+<para>This release has the following changes:</para>
+
+<itemizedlist>
+
+  <listitem>
+    <para>Sandbox builds are now enabled by default on Linux.</para>
+  </listitem>
+
+</itemizedlist>
+
+</section>
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
@@ -195,7 +195,13 @@ public:
     Setting<bool> showTrace{this, false, "show-trace",
         "Whether to show a stack trace on evaluation errors."};
 
-    Setting<SandboxMode> sandboxMode{this, smDisabled, "sandbox",
+    Setting<SandboxMode> sandboxMode{this,
+        #if __linux__
+          smEnabled
+        #else
+          smDisabled
+        #endif
+        , "sandbox",
         "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".",
         {"build-use-chroot", "build-use-sandbox"}};
 

diff --git a/tests/common.sh.in b/tests/common.sh.in
@@ -85,16 +85,13 @@ killDaemon() {
     trap "" EXIT
 }
 
-canUseSandbox() {
+if [[ $(uname) == Linux ]] && [[ -L /proc/self/ns/user ]] && unshare --user true; then
-    if [[ $(uname) != Linux ]]; then return 1; fi
+    _canUseSandbox=1
-
+fi
-    if [ ! -L /proc/self/ns/user ]; then
-        echo "Kernel doesn't support user namespaces, skipping this test..."
-        return 1
-    fi
 
-    if ! unshare --user true ; then
+canUseSandbox() {
-        echo "Unprivileged user namespaces disabled by sysctl, skipping this test..."
+    if [[ ! $_canUseSandbox ]]; then
+        echo "Sandboxing not supported, skipping this test..."
         return 1
     fi
 

diff --git a/tests/init.sh b/tests/init.sh
@@ -16,6 +16,7 @@ mkdir "$NIX_CONF_DIR"
 cat > "$NIX_CONF_DIR"/nix.conf <<EOF
 build-users-group =
 keep-derivations = false
+sandbox = false
 include nix.conf.extra
 EOF