Invoking nix in a derivation's build script violates the macOS sandbox in Nix 2.4 and later
#5884
Comments
|
Nix 2.5.1 appears to be checking for Adding that manually reproduces the Nix 2.4 failure, which I believe is due to In both cases, the actual solution may be to add these as It's also worth considering if |
|
This also breaks compiling Nix itself, as it invokes itself in order to build its manual. |
lilyball
changed the title
nix --version violates the macOS sandbox in Nix 2.4 and laternix in a derivation's build script violates the macOS sandbox in Nix 2.4 and later
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/nix-macos-sandbox-issues-in-nix-2-4-and-later/17475/1 |
|
Regarding Also I'm not sure if Nix actually needs access to |
|
This was marked as fixed due to #6812, but was anything done about the |
|
I think that's still an issue. I just tested like so: ❯ nix build --impure --expr 'with import (builtins.getFlake "github:NixOS/nixpkgs/nixpkgs-unstable") {}; runCommand "foo" { nativeBuildInputs = [ (builtins.getFlake "github:NixOS/nix").packages.${builtins.currentSystem}.default ]; } "nix --version"'
error: builder for '/nix/store/0ii2rqvqsgk343gg5b9a8z20qdvlpf8y-foo.drv' failed with exit code 134;
last 2 log lines:
> libc++abi: terminating with uncaught exception of type nix::SysError: error: getting status of /nix/var/nix/profiles/per-user/root/channels/nixpkgs: Operation not permitted
> /private/tmp/nix-build-foo.drv-0/.attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90: line 1: 11683 Abort trap: 6 nix --version
For full logs, run 'nix log /nix/store/0ii2rqvqsgk343gg5b9a8z20qdvlpf8y-foo.drv'.The Nix being run here is |
|
Also running into the |
|
I can also reproduce this. My "host" Nix is 2.12.0, while the Nix I'm executing (via tests) is 145e9a8. |
|
Reopening since the fix PR didn't fix everything. Hopefully #5226 should fix at least most of it, but maybe not all. |
|
#7689 should also help by making it possible to turn off the default nix path using |
|
#7689 should have fixed this, so I'll close. Feel free to comment/reopen if the issue still occurs. |
Describe the bug
Starting with Nix 2.4 and later, attempting to run
nix --version(ornix-env --version) from within the macOS sandbox aborts with an uncaught exception caused by adeny file-read-metadata. The particular path it fails on differs between Nix 2.4 and Nix 2.5.1 but both fail. Nix 2.4 is failing on trying to read/nix/var/nix/profiles/per-user/root/channels/nixpkgsSteps To Reproduce
/etc/nix/nix.conf(in my case I havesandbox = relaxedbuttrueworks too)nix build --impure --expr 'with import (builtins.getFlake "github:NixOS/nixpkgs/77fda7f672726e1a95c8cd200f27bccfc86c870b") {}; runCommand "foo" { nativeBuildInputs = [ nix ]; } "nix --version"'(the rev here is the currentnixpkgs/nixpkgs-unstable)nix build --impure --expr 'with import (builtins.getFlake "github:NixOS/nixpkgs/77fda7f672726e1a95c8cd200f27bccfc86c870b") {}; runCommand "foo" { nativeBuildInputs = [ nix_2_4 ]; } "nix --version"'for Nix 2.4Nix 2.5.1
Output:
The system log lists a number of sandbox denies, but the final one is
Nix 2.4
Output:
Again a number of denies in the system log, but the final one is
Expected behavior
This should work.
nix --versionoutputI've tested both with Nix 2.4 and Nix 2.5.1 as the driver, and the above repro steps use both Nix 2.4 and Nix 2.5.1 in the build command.
Additional context
I'm using a multi-user install on macOS. I don't know if anything differs in a single-user install.
The text was updated successfully, but these errors were encountered: