Hide all files from build that are not build inputs

[nh2]

In the context of commercialhaskell/stack#2802 it occurred to me that in general, a software being built inside nix can still introduce non-reproducible builds by reading arbitray files on that the build machine (e.g. by simply hardcoding a use of the contents of /etc/group, for example).

To make builds truly isolated, we would need an equivalent of --pure that can:

• Restrict file system usage to /nix/store/... paths that are declared as build inputs
• Disable networking (force offline builds)
• (potentially too extreme for now) Stop the time so that all timestamps are the same

Which of these does nix already support?

There are a couple methods this could be implemented: FUSE filesystems (e.g. the tup build system uses those), fakeroot-ng (uses ptrace), seccomp (like Chromium uses for sandboxing), or cgroups (requires root).

With a patrace based approach even the "stop the time" bit could be done.

[copumpkin]

build-use-sandbox already does all of that (and has been for years on Hydra and anyone who turns it on), except nix-shell doesn't currently apply that to shells you spin up.

Linux support uses namespaces, and on Darwin the support is currently broken but we generate sandbox specs on the fly and use the built-in sandboxing machinery.

[copumpkin]

#179 is why it isn't turned on by default. #907 is a proposal to turn the cheap parts of it on by default.

[domenkozar]

Closing as we already have sandboxes, please reopen with more specific feature requirement if current situation doesn't work/fit.

[domenkozar]

Duplicates #903