Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix-user-chroot breaks sandboxing #102

Open
zmanji opened this issue Dec 22, 2022 · 2 comments
Open

nix-user-chroot breaks sandboxing #102

zmanji opened this issue Dec 22, 2022 · 2 comments

Comments

@zmanji
Copy link

zmanji commented Dec 22, 2022

On an Ubuntu Jammy machine I cannot get nix to build with the sandbox enabled and sandbox fallback disabled.

To reproduce first ensure the following is added to ~/.config/nix/nix.conf:

sandbox-fallback = false

$ wget https://github.com/nix-community/nix-user-chroot/releases/download/1.2.2/nix-user-chroot-bin-1.2.2-x86_64-unknown-linux-musl -O nix-user-chroot 
$ mkdir mynix
$ ./nix-user-chroot mynix bash -c "curl -L https://nixos.org/nix/install | bash"

Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
copying Nix to /nix/store...

installing 'nix-2.12.0'
error: creating sandboxed builder process using clone(), without sandbox-fallback: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.BKErg7AOml/unpack/nix-2.12.0-x86_64-linux/install: unable to install Nix into your default profile

However using bwrap works fine.

$ bwrap --version
bubblewrap 0.6.1
$ bwrap --unshare-user --uid $(id -u) --gid $(id -g) --die-with-parent --bind ./mynix /nix --proc /proc --dev /dev  --tmpfs /tmp --bind /bin/ /bin/ --bind /etc/ /etc/ --bind /home/zmanji/ /home/zmanji/ --bind /lib/ /lib/ --bind /lib64 /lib64 --bind /sbin/ /sbin --bind /run /run --bind /usr/ /usr/ --bind /var/ /var/ bash -c "curl -L https://nixos.org/nix/install | bash"

Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
copying Nix to /nix/store...

installing 'nix-2.12.0'
building '/nix/store/0dg0zjj2j6hijn193x1215yssrg7n1xs-user-environment.drv'...
unpacking channels...
modifying /home/zmanji/.profile...
modifying /home/zmanji/.zshenv...

Installation finished!  To ensure that the necessary environment
variables are set, either log in again, or type

  . /home/zmanji/.nix-profile/etc/profile.d/nix.sh

in your shell.

I used strace to see what differences were there but I could not figure it out. Would it be possible to change nix-user-chroot to make the nested clone call work?
@Mic92
Copy link
Member

Mic92 commented Dec 26, 2022

Might be related to 6288562

@zmanji
Copy link
Author

zmanji commented Dec 26, 2022

Might be related to 6288562

Yes, it seems to be related. If I use version 1.0.3 which is the release prior to this change, the sandboxing works fine.

Would it be a good idea to go back to pivot_root?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zmanji @Mic92