Nixpkgs: Resurrect Nix Darwin sandbox

Created on 7 Sep 2017  路  6Comments  路  Source: NixOS/nixpkgs

This is a combined Nix + Nixpkgs issue, because the relevant work spans both repositories. This used to work, but broke a while ago and nobody's had the time to fix it.

The end result of this work should be:

  • [ ] Most of nixpkgs (definitely all major packages) should build with sandbox enabled on Darwin
  • [ ] All Darwin Hydra builders have it enabled
  • [ ] The mechanism is reasonably safe by default (i.e., packages can't just specify arbitrary sandbox profiles to break out)
  • [ ] Nix defaults to sandbox=true on Darwin because the default Darwin channel builds fine on it

This is a fair amount of work but should hopefully be fairly mechanical.

@edolstra for testing progress on this issue, is there a way to create a single Hydra jobset that enables the sandbox? That would allow us to improve things without affecting mainline builds.

Some relevant PRs (I'll edit to add more as I put them up):

cc @LnL7 @domenkozar @pikajude

mass-darwin-rebuild security darwin
Source
picture copumpkin
👍6

Most helpful comment

I've been working on this on and off and have the stdenv and several packages building fine in it. Will post PRs when more ready, and link them back here.

picture copumpkin on 16 Oct 2017
8

All 6 comments

Hydra doesn't really have a way to enable sandboxing per jobset, since that's determined by the configuration of the individual builders. A hacky way would be to set requiredSystemFeature = ["sandbox"] and then reserve a Mac builder for doing sandbox builds.

edolstra picture edolstra on 8 Sep 2017

@edolstra that could work, if we can stop that builder from being used everywhere else. Otherwise normal builds will all fail on that builder 馃槮

copumpkin picture copumpkin on 8 Sep 2017

Yes, that's possible by marking it as a mandatory feature.

edolstra picture edolstra on 8 Sep 2017

I've been working on this on and off and have the stdenv and several packages building fine in it. Will post PRs when more ready, and link them back here.

copumpkin picture copumpkin on 16 Oct 2017
8

@copumpkin I'm trying to build my entire Darwin environment with sandboxing on now, to find out which packages fail. Is there someplace that it would be good to maintain a list of these? I know, for example, that ghcWithHoogle has problems with it on.

jwiegley picture jwiegley on 2 Mar 2018

@copumpkin Any updates on this? Hopefully the stdenv are fairly small?

matthewbauer picture matthewbauer on 18 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

7c6f434c picture 7c6f434c  路  66Comments
samueldr picture samueldr  路  88Comments
Infinisil picture Infinisil  路  146Comments
purefn picture purefn  路  68Comments
fdietze picture fdietze  路  144Comments