Nix macOS sandbox issues in Nix 2.4 and later

Invoking nix from within a derivation build script violates the macOS sandbox starting in Nix 2.4 and later. I filed an issue about this almost a month ago with no response so I’m hoping to put a little visibility on this:

The tl;dr is Nix 2.4 is aborting when testing the new nix-path config option’s default values (/nix/var/nix/profiles/per-user/root/channels{,/nixpkgs}) to see if they exist on disk and Nix 2.5 adds yet another failure case where it tests for Rosetta support by looking for { /Library/Apple,}/System/Library/LaunchDaemons/ In both cases the function used to test for this simply throws an exception if it gets a permissions error.

This actually affects regular usage too if I muck with permissions, e.g. sudo chmod o-rx /nix/var/nix/profiles/per-user/root will break the ability for anyone besides root to run nix, and while I haven’t tested I assume this particular breakage is not macOS-specific as it’s just regular unix permissions.

I’ve commented on the issue already with suggested approaches.


Oh and to be more clear, this isn’t just affecting some random derivations that invoke nix, this affects building Nix itself as it invokes itself in order to build its manual.

I like to keep the macOS sandbox on in relaxed mode just as a sanity check to ensure derivations aren’t accidentally accessing things outside the sandbox that they don’t intend to, but it’s really frustrating when this means I can’t build Nix itself, or can’t build rnix-lsp (which actually had to work around this issue in v0.2.4 by disabling the test that invokes nix when run on macOS :persevere:). Especially as this worked just fine on Nix 2.3.

1 Like