Nixpkgs: p11-kit fails to build locally on non-NixOS systems (single-user install) due to failing tests on master

This is labeled as a channel blocker because p11-kit is in the gnome3 closure.
cc @nixos/gnome

I couldn't reproduce this @mjlbach on NixOS 20.09

- system: `"x86_64-linux"`
 - host os: `Linux 5.4.59, NixOS, 20.09.20200810.dirty (Nightingale)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20200721_ff314f1`
 - channels(root): `""`
 - nixpkgs: `/nix/store/blavjn6via2al4msbnc01vvhn36l8xiz-fm6qxbi0l03mykyzrafjinxkm4jxxnn9-source`

@worldofpeace Thanks for checking, I'm not sure what it could be about my local system then. I can try to debug/test on a couple vms.

edit: I've reproduced now on two non-nixos systems (fedora 32 and ubuntu 18.04)

@mjlbach Yeah, from looking at https://hydra.nixos.org/job/nixpkgs/trunk/p11-kit.x86_64-linux it seems on nixos linux the build is successful. We actually happen to have the tests on darwin disabled (perhaps for a similar reason). I'm not sure there's a way to detect in stdenv non-nixos linux to disable the test as well. Though there could be an actual issue.

Updated the issue title and description to make it more clear this does not affect NixOS, but rather linux systems using nix.

One option would be to have an "allowlist" for tests. Something like (not sure if this is the right platform name)

doCheck = hostPlatform.system == "x86_64-nixos"

Although i'm curious why exactly it fails on non-nixos systems.

My hostPlatform.system on NixOS is

$ nix eval -f '<nixpkgs>' hostPlatform.system
"x86_64-linux"

which I assume is the same as non-NixOS.

My hostPlatform.system on NixOS is

$ nix eval -f '<nixpkgs>' hostPlatform.system
"x86_64-linux"

which I assume is the same as non-NixOS.

Yes, that's what I was hoping was not the case (my nixos machine is unfortunately inaccessible right now) . Maybe there should be a stdenv.isNixOS... Not sure how widespread these sorts of failures are.

Based on looking at the p11_test_copy_setgid code, perhaps this happens when you have /tmp on a filesystem mounted nosuid?

Yes, that seems to be the case:

$ mount
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel)

Although this seems to be standard for systemd managed systems? (ubuntu, fedora, etc.)

Actually, the callers of p11_test_copy_setgid pass in BUILDDIR rather than /tmp, so it might be some other filesystem that matters.

/run maybe? See nixos/nix#2957.

I'm not sure how to verify that, but based on the issue description I tried

 TMPDIR=/tmp nix-shell -I nixpkgs=https://github.com/nixos/nixpkgs/archive/master.tar.gz -p p11-kit --check

And still reproduced my issue

This doesn't block a channel, right?

BTW, I don't reproduce the issue on my sandboxed non-NixOS builder (Ubuntu 18.04 as well) or a NixOS one; both have nosuid /tmp.

_Current master, result /nix/store/j9199a0p4847pc1f1czjfrkw7nf6f0rn-p11-kit-0.23.21._

This doesn't block a channel, right?

Yep, I forgot to unlabel it.

@vcunat Thanks for the info. Are you using a single or multi-user install? I have sandboxing (explicitly) enabled on both the ubuntu and fedora vms, but it's installed via single-user (not sure if this matters, but I have no idea what other substantive difference there could be).

Yes, multi-user.

I've confirmed this issue only affects systems in single-user install.

One issue is that in order to use multi-user installs on redhat based linux distributions, it seems you have to disable SELinux