Skip to content

Commit

Permalink
Revert "nixos/hardened: build sandbox incompatible with namespaces"
Browse files Browse the repository at this point in the history 
As discussed in #73763, prevailing
consensus is to revert that commit. People use the hardened profile on
machines and run nix builds, and there's no good reason to use
unsandboxed builds at all unless you're in a platform that doesn't
support them.

This reverts commit 00ac71a.
  • Loading branch information
@flokli
flokli committed Apr 5, 2020
1 parent 0454fae commit a8989b3
Showing 1 changed file with 0 additions and 2 deletions.
2 changes: 0 additions & 2 deletions nixos/modules/profiles/hardened.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ with lib;

security.allowUserNamespaces = mkDefault false;

nix.useSandbox = mkDefault false;

This comment has been minimized.

Sign in to view

Copy link
@Mic92

Mic92 Apr 6, 2020

Member

From my understanding this breaks nix on those systems because
usernamespaces are disabled?

This comment has been minimized.

Sign in to view

Copy link
@Mic92

Mic92 Apr 6, 2020

Member

In order to make this work a kernel patch would be required.

This comment has been minimized.

Sign in to view

Copy link
@kmcopper

kmcopper Apr 7, 2020
edited
Loading

Contributor

Correct. #84522 should fix.

security.protectKernelImage = mkDefault true;

security.allowSimultaneousMultithreading = mkDefault false;
Expand Down

0 comments on commit a8989b3

Please sign in to comment.