Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing sandboxed builds #29

Open
deliciouslytyped opened this issue Apr 16, 2019 · 1 comment
Open

Fixing sandboxed builds #29

deliciouslytyped opened this issue Apr 16, 2019 · 1 comment

Comments

@deliciouslytyped
Copy link

Something should be done per NixOS/nix#2605 (comment) .

As a temporary hack I set /etc/nix/nix.conf to contain sandbox-paths = /bin/sh=/bin/busybox, but instead something should probably be done using --with-sandbox-path? It would probably be best to get input from someone upstream.

Also I was recommended to use a proper statically compiled dash instead of busybox.

@deliciouslytyped
Copy link
Author

deliciouslytyped commented Apr 16, 2019

TODO: I was in a hurry< when writing this up, its a bit wrong, will fix later.

My cursory analysis is:

The underlying problem is that the sandbox-path equivalent variable at https://github.com/NixOS/nix/blob/5112a33fb17f792ceb6d641738277cbbe6a58bfc/src/libstore/globals.cc#L67 is set to "/bin/sh=" if SANDBOX_SHELL is not set. This results in https://github.com/NixOS/nix/blob/41ba5135e0a2d9940c4e8cbedff44eb1a47af782/src/libstore/build.cc#L2669 being triggered because of failure to stat the target of /bin/sh, being the empty string. The probable reason that this is the first and only debug message about mounts it that this is probably the very first path, inserted at https://github.com/NixOS/nix/blob/41ba5135e0a2d9940c4e8cbedff44eb1a47af782/src/libstore/build.cc#L1915 .

I'm not sure how the surrounding ifdef comes into play. If SANDBOX_SHELL isn't set maybe this wont happen, but when is SANDBOX_SHELL not set?

I'm not really familiar with this make stuff, maybe the problem is that https://github.com/NixOS/nix/blob/5112a33fb17f792ceb6d641738277cbbe6a58bfc/src/libstore/local.mk#L42 means that it's always set?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant