Nix: Wanted: Documentation on using sandbox with single-user install

Created on 16 Mar 2019  路  4Comments  路  Source: NixOS/nix

The documentation on the nix.conf sandbox option says that it requires Nix to run as root and that I need to use build-users-group accordingly.

The problem is, I have a single-user (Darwin) install, so I don't have any nix builder users, nor would I want them as the nix store is owned by my user account. The documentation on build-users-group says if it's unset it uses the uid of the Nix process, which is presumably not what I want (as that would be root, but I don't want to have root-owned paths in my nix store).

What I'd really like to see is some documentation somewhere of how to use sandbox with a single-user install. I'm trying to write up a PR for a package right now but I need to make sure that it works under the sandbox (e.g. I need to make sure any tests in the package aren't using the network).

picture lilyball

Most helpful comment

I think the statement about root is indeed not correct for both linux and darwin. Sandboxing currently only works partially on darwin because of system frameworks, etc. but configuring it to be slightly less strict now works in a lot of cases

sandbox = true
extra-sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env
picture LnL7 on 19 Mar 2019
🎉32

All 4 comments

On a linux machine with user namespaces enabled, sandboxes work without issue in a single-user install if they're either set to true in the nix.conf option, or if someone passes --option sandbox true on the cmdline, as far as I'm aware. I'd imagine it's similar for Darwin?

bhipple picture bhipple on 19 Mar 2019

I tried --option sandbox true already without sudo, to see if it would work, and I get an error very early when the sandbox prevents accessing system frameworks:

> nix-build --option sandbox true . -A cargo-tree
[...]
Running cargo build --release 
dyld: Library not loaded: /System/Library/Frameworks/Security.framework/Versions/A/Security
  Referenced from: /nix/store/x2kky8fly7pvnpswj2rrcn68sbnx0ysr-cargo-1.32.0/bin/.cargo-wrapped
  Reason: no suitable image found.  Did find:
        /System/Library/Frameworks/Security.framework/Versions/A/Security: file system sandbox blocked stat()
        /System/Library/Frameworks/Security.framework/Versions/A/Security: file system sandbox blocked stat()
/nix/store/zchs18skjv75qg2iy0srwz1dvrrmfkv7-stdenv-darwin/setup: line 1319: 83417 Abort trap: 6           cargo build --release --frozen
builder for '/nix/store/rnwr0jbb5zmirvf13m15fyfzz7zz425c-cargo-tree-0.22.0.drv' failed with exit code 134
error: build of '/nix/store/rnwr0jbb5zmirvf13m15fyfzz7zz425c-cargo-tree-0.22.0.drv' failed
lilyball picture lilyball on 19 Mar 2019

Of course I don't know if this would work in a multi-user install using sudo either, but I would have to assume that it's supposed to.

lilyball picture lilyball on 19 Mar 2019

I think the statement about root is indeed not correct for both linux and darwin. Sandboxing currently only works partially on darwin because of system frameworks, etc. but configuring it to be slightly less strict now works in a lot of cases

sandbox = true
extra-sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env
LnL7 picture LnL7 on 19 Mar 2019
🎉32
Was this page helpful?
0 / 5 - 0 ratings

Related issues

matthewbauer picture matthewbauer  路  3Comments
copumpkin picture copumpkin  路  3Comments
ihsanturk picture ihsanturk  路  3Comments
bryanhuntesl picture bryanhuntesl  路  3Comments
Infinisil picture Infinisil  路  3Comments