Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#73727 - community/nix: Fix sandboxed builds

Attached to Project: Community Packages
Opened by Zhaofeng Li (zhaofeng) - Thursday, 10 February 2022, 21:37 GMT
Last edited by Caleb Maclennan (alerque) - Friday, 11 February 2022, 22:35 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Caleb Maclennan (alerque)
George Rawlinson (rawlinsong)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

When sandboxing is enabled (default), Nix runs each build in an isolated mount namespace and requires a statically-linked POSIX-compatible sh to run the build script inside the sandbox. Currently, this is not specified so sandboxed build is broken (fail.log).

The attached patch uses the busybox sh as the sandbox shell.

Additional info:

$ pacman -Qi nix | grep Version
Version : 2.6.0-1

$ nix --version
nix (Nix) 2.6.0

Steps to reproduce:

1. Install nix with default configurations (sandbox enabled)
2. `git clone --depth=1 https://github.com/NixOS/nixpkgs && cd nixpkgs`
3. `nix-build -A hello --check` should fail
4. Install the patched version of nix (0001-nix-fix-sandboxed-build.patch)
5. `systemctl restart nix-daemon`
6. `nix-build -A hello --check` should succeed

Attachments:

1. 0001-nix-fix-sandboxed-build.patch - Patch to fix the problem
2. fail.log - Logs for `nix-build -A hello --check` in current package
3. success.log - Logs for `nix-build -A hello --check` with patch
   0001-nix-fix-sandboxed-build.... (0.9 KiB)
   fail.log (1.3 KiB)
   success.log (71.2 KiB)
This task depends upon

Closed by  Caleb Maclennan (alerque)
Friday, 11 February 2022, 22:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  nix-2.6.0-2
Comment by Caleb Maclennan (alerque) - Friday, 11 February 2022, 21:32 GMT
Why busybox? Why not bash's `sh`? Or `dash`?
Comment by Zhaofeng Li (zhaofeng) - Friday, 11 February 2022, 21:37 GMT
It has to be a statically-linked executable since the sandbox uses a clean root with nothing in it. To quote `./configure --help`:

> AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]),

Loading...