Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix: do not disable sandbox by default #35666

Open
Cloudef opened this issue Feb 17, 2022 · 6 comments
Open

nix: do not disable sandbox by default #35666

Cloudef opened this issue Feb 17, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@Cloudef
Copy link

Cloudef commented Feb 17, 2022

System

  • xuname: Void 5.12.14_1 x86_64-musl AuthenticAMD uptodate rFFFF
  • package: nix-2.3.12_1

Expected behavior

/etc/nix.conf should have sandbox on, and should build packages as expected in such isolated environment.

Actual behavior

/etc/nix.conf has sandbox turned off by default, and it fails unexpectedly when turned on due to a misconfiguration with sandbox-paths. Nix mounts /bin/sh into the sandboxed namespace, but this binary is linked against musl libc and thus fails to work in such a sandboxed environment.

The workaround is to install busybox-static and edit sandbox-paths in /etc/nix.conf so that /bin/sh points to busybox.static instead.

Steps to reproduce the behavior

  1. Install nix and make sure sandboxing is turned on (restart daemon)
  2. Use the following default.nix
{ pkgs ? import <nixpkgs> {} }:

pkgs.buildPackages.rustPlatform.buildRustPackage rec {
  pname = "diesel-cli-ext";
  version = "0.3.6";
  cargoSha256 = "1npmr1sy7d6gv7j3r8c03c7k7c9fv0kvipl96cm6g1c90qqba2hx";
  src = pkgs.fetchCrate {
    inherit version;
    crateName = "diesel_cli_ext";
    sha256 = "0zf98kydxgb9mc77x7r4d0vmkfzgi5h4h6n1dhpgq2if9ybyci0b";
  };
}
  1. build will fail with misleading error:
tar (child): gzip: Cannot exec: No such file or directory
tar (child): Error is not recoverable: exiting now
  1. strace reveals the tar actually does /bin/sh -c gzip
@Cloudef
Copy link
Author

Cloudef commented Feb 17, 2022

I also filled bug in nix as nix probably should detect this kind of misconfiguration early: NixOS/nix#6113

@Cloudef Cloudef mentioned this issue Feb 17, 2022
Open
@github-actions
Copy link

Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.

@github-actions github-actions bot added the Stale label Jun 24, 2022
@Cloudef
Copy link
Author

Cloudef commented Jun 24, 2022

Still relevant

@github-actions github-actions bot removed the Stale label Jun 25, 2022
@github-actions
Copy link

Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.

@github-actions github-actions bot added the Stale label Sep 24, 2022
@Cloudef
Copy link
Author

Cloudef commented Sep 24, 2022

Still relevant

@github-actions github-actions bot removed the Stale label Sep 25, 2022
@github-actions
Copy link

Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.

@github-actions github-actions bot added the Stale label Dec 25, 2022
@classabbyamp classabbyamp added bug Something isn't working and removed Stale labels Dec 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cloudef @classabbyamp