Chrome OS 83 breaks nix sandboxing

I’m using Nix with nix-daemon enabled on a chromebook using Crostini, which essentially puts me in a Debian Buster LXD container. This worked great in ChromeOS 81, but version 83 appears to break sandboxing:

$ nix-build
these derivations will be built:
error: while setting up the build environment: mounting /proc: Operation not permitted

If I run nix-build as root with --option sandbox false it works, but that’s far from ideal. I’m not intimately familiar with the crostini/crosvm security features, nor with Nix’s current sandboxing setup, so I’m hoping someone else knows what the story is here. Any clues?

1 Like

I hit the same thing. My own use of user namespaces on Crostini broke in ChromeOS 83. I reported it here:

1087937 - chromium - An open-source project to help move the web forward. - Monorail

The specific problem is that attempting to mount /proc in a user namespace fails with EPERM. The simple reproduction path is:

$ unshare -Upf --mount-proc
unshare: mount /proc failed: Operation not permitted

I’ll cross-link that bug report here. The only workaround I could find was to run my sandboxes as root without user namespace isolation (but at least I get the pid/mount/net isolation…)


It looks like the Flatpak folks hit the same thing. See:

So I have a bit more undertstanding and a workaround. The understanding is that the kernel is refusing to mount /proc because in the parent mount namespace, /proc is partly covered by a bunch of new lxcfs mounts, and the kernel is afraid of exposing parts of /proc that the user is not intended to see. The workaround is to unmount those mounts that are under /proc:

kduda@penguin:~$ unshare -Upf --mount-proc
unshare: mount /proc failed: Operation not permitted
kduda@penguin:~$ sudo umount /proc/{cpuinfo,diskstats,meminfo,stat,uptime}
kduda@penguin:~$ unshare -Upf --mount-proc
nobody@penguin:~$ echo $$
nobody@penguin:~$ ls -d /proc/[0-9]*

I don’t know if this workaround is a good idea. I’m not sure what the lxcfs mounts are for. But, I do expect that if you unmount all of the lxcfs mounts under /proc, then nix sandboxing will work again for you.



This got me a step closer to getting the install-nix-2.3.7 script working as normal user in the ChromeOS Linux container. My current ChromeOS version is: Version 84.0.4147.110 (Official Build) (64-bit) and I’m using the Linux (Beta) on the stable channel.

After executing:
sudo umount /proc/{cpuinfo,diskstats,meminfo,stat,uptime}

I tried running the install script again and got an error about not being able to change user on: /nix/var/nix/profiles/per-user/nobody/ (or something like that).

I noticed it said nobody@penguin like above so I decided to exit the terminal completely and reopen it. It had returned to my username@penguin, so then I tried executing install-nix-2.3.7 again and it installed without issue. No root needed. :slight_smile:

1 Like