-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invoking nix
in a derivation's build script violates the macOS sandbox in Nix 2.4 and later
#5884
Comments
Nix 2.5.1 appears to be checking for Adding that manually reproduces the Nix 2.4 failure, which I believe is due to In both cases, the actual solution may be to add these as It's also worth considering if |
This also breaks compiling Nix itself, as it invokes itself in order to build its manual. |
nix --version
violates the macOS sandbox in Nix 2.4 and laternix
in a derivation's build script violates the macOS sandbox in Nix 2.4 and later
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/nix-macos-sandbox-issues-in-nix-2-4-and-later/17475/1 |
Regarding Also I'm not sure if Nix actually needs access to |
This was marked as fixed due to #6812, but was anything done about the |
I think that's still an issue. I just tested like so: ❯ nix build --impure --expr 'with import (builtins.getFlake "github:NixOS/nixpkgs/nixpkgs-unstable") {}; runCommand "foo" { nativeBuildInputs = [ (builtins.getFlake "github:NixOS/nix").packages.${builtins.currentSystem}.default ]; } "nix --version"'
error: builder for '/nix/store/0ii2rqvqsgk343gg5b9a8z20qdvlpf8y-foo.drv' failed with exit code 134;
last 2 log lines:
> libc++abi: terminating with uncaught exception of type nix::SysError: error: getting status of /nix/var/nix/profiles/per-user/root/channels/nixpkgs: Operation not permitted
> /private/tmp/nix-build-foo.drv-0/.attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90: line 1: 11683 Abort trap: 6 nix --version
For full logs, run 'nix log /nix/store/0ii2rqvqsgk343gg5b9a8z20qdvlpf8y-foo.drv'. The Nix being run here is |
Also running into the |
I can also reproduce this. My "host" Nix is 2.12.0, while the Nix I'm executing (via tests) is 145e9a8. |
Reopening since the fix PR didn't fix everything. Hopefully #5226 should fix at least most of it, but maybe not all. |
#7689 should also help by making it possible to turn off the default nix path using |
#7689 should have fixed this, so I'll close. Feel free to comment/reopen if the issue still occurs. |
Describe the bug
Starting with Nix 2.4 and later, attempting to run
nix --version
(ornix-env --version
) from within the macOS sandbox aborts with an uncaught exception caused by adeny file-read-metadata
. The particular path it fails on differs between Nix 2.4 and Nix 2.5.1 but both fail. Nix 2.4 is failing on trying to read/nix/var/nix/profiles/per-user/root/channels/nixpkgs
Steps To Reproduce
/etc/nix/nix.conf
(in my case I havesandbox = relaxed
buttrue
works too)nix build --impure --expr 'with import (builtins.getFlake "github:NixOS/nixpkgs/77fda7f672726e1a95c8cd200f27bccfc86c870b") {}; runCommand "foo" { nativeBuildInputs = [ nix ]; } "nix --version"'
(the rev here is the currentnixpkgs/nixpkgs-unstable
)nix build --impure --expr 'with import (builtins.getFlake "github:NixOS/nixpkgs/77fda7f672726e1a95c8cd200f27bccfc86c870b") {}; runCommand "foo" { nativeBuildInputs = [ nix_2_4 ]; } "nix --version"'
for Nix 2.4Nix 2.5.1
Output:
The system log lists a number of sandbox denies, but the final one is
Nix 2.4
Output:
Again a number of denies in the system log, but the final one is
Expected behavior
This should work.
nix --version
outputI've tested both with Nix 2.4 and Nix 2.5.1 as the driver, and the above repro steps use both Nix 2.4 and Nix 2.5.1 in the build command.
Additional context
I'm using a multi-user install on macOS. I don't know if anything differs in a single-user install.
The text was updated successfully, but these errors were encountered: