I’m using Nix with nix-daemon enabled on a chromebook using Crostini, which essentially puts me in a Debian Buster LXD container. This worked great in ChromeOS 81, but version 83 appears to break sandboxing:
$ nix-build
these derivations will be built:
/nix/store/0i9mr5fyjpivpgp05d3v0d3zwqwp8sy1-elm-app-0.1.0.drv
error: while setting up the build environment: mounting /proc: Operation not permitted
If I run nix-build as root with --option sandbox false it works, but that’s far from ideal. I’m not intimately familiar with the crostini/crosvm security features, nor with Nix’s current sandboxing setup, so I’m hoping someone else knows what the story is here. Any clues?
The specific problem is that attempting to mount /proc in a user namespace fails with EPERM. The simple reproduction path is:
$ unshare -Upf --mount-proc
unshare: mount /proc failed: Operation not permitted
I’ll cross-link that bug report here. The only workaround I could find was to run my sandboxes as root without user namespace isolation (but at least I get the pid/mount/net isolation…)
So I have a bit more undertstanding and a workaround. The understanding is that the kernel is refusing to mount /proc because in the parent mount namespace, /proc is partly covered by a bunch of new lxcfs mounts, and the kernel is afraid of exposing parts of /proc that the user is not intended to see. The workaround is to unmount those mounts that are under /proc:
kduda@penguin:~$ unshare -Upf --mount-proc
unshare: mount /proc failed: Operation not permitted
kduda@penguin:~$ sudo umount /proc/{cpuinfo,diskstats,meminfo,stat,uptime}
kduda@penguin:~$ unshare -Upf --mount-proc
nobody@penguin:~$ echo $$
1
nobody@penguin:~$ ls -d /proc/[0-9]*
/proc/1
nobody@penguin:~$
I don’t know if this workaround is a good idea. I’m not sure what the lxcfs mounts are for. But, I do expect that if you unmount all of the lxcfs mounts under /proc, then nix sandboxing will work again for you.
This got me a step closer to getting the install-nix-2.3.7 script working as normal user in the ChromeOS Linux container. My current ChromeOS version is: Version 84.0.4147.110 (Official Build) (64-bit) and I’m using the Linux (Beta) on the stable channel.
After executing: sudo umount /proc/{cpuinfo,diskstats,meminfo,stat,uptime}
I tried running the install script again and got an error about not being able to change user on: /nix/var/nix/profiles/per-user/nobody/ (or something like that).
I noticed it said nobody@penguin like above so I decided to exit the terminal completely and reopen it. It had returned to my username@penguin, so then I tried executing install-nix-2.3.7 again and it installed without issue. No root needed.
