Nix: NO_NEW_PRIVS... Segmentation fault

ancienttoilet · May 23, 2025, 6:09pm

Hello folks,

I have been trying to automate a build of Singularity 4.3.1 using nix flake but I have been stuck with this problem since the past two days:

=> running post-basechecks project specific checks ...
 checking: namespace: CLONE_NEWPID... yes
 checking: namespace: CLONE_FS... yes
 checking: namespace: CLONE_NEWNS... yes
 checking: namespace: CLONE_NEWUSER... yes
 checking: namespace: CLONE_NEWIPC... yes
 checking: namespace: CLONE_NEWNET... yes
 checking: namespace: CLONE_NEWUTS... yes
 checking: namespace: CLONE_NEWCGROUP... yes
 checking: feature: NO_NEW_PRIVS... Segmentation fault
ERROR: Kernel does not support NO_NEW_PRIVS. Updated Kernel is required.

I am not really sure why nix is hitting the issue, however, if I run the mconfig command directly on the host it works without a hitch.

flake.nix

{
  description = "Statically linked SingularityCE 4.3.1";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; };
        version = "4.3.1";
      in {
        packages.default = pkgs.stdenv.mkDerivation {
          pname = "singularityce";
          inherit version;

          src = pkgs.fetchgit {
            url = "https://github.com/sylabs/singularity.git";
            rev = "bda114306f186f4d613de9715c763191793f9ec3";  # Tag v4.3.1
            fetchSubmodules = true;
            deepClone = true;
            sha256 = "oi6kMsfOIEIm9HB9HKAgFTm/9I1QDc9jw6Topclb0JU=";
          };

          nativeBuildInputs = with pkgs; [
            autoconf
            automake
            libtool
            m4
            pkg-config
            go_1_23
            makeWrapper
          ];

          buildInputs = with pkgs; [
            fuse3
            libseccomp
            squashfsTools
            glibc.static
          ];

          configurePhase = ''
            export GOCACHE=$TMPDIR/go-cache
            export GOPATH=$TMPDIR/go-path
            export GOROOT=${pkgs.go_1_23}/share/go
            export PATH=${pkgs.go_1_23}/bin:$PATH
            export GO=${pkgs.go_1_23}/bin/go
            echo "v${version}" > VERSION
            export CGO_ENABLED=1
            export CFLAGS="-static"
            export LDFLAGS="-static"

           ./mconfig  --without-suid --without-libsubid -b builddir
          '';

          buildPhase = ''
            cd builddir
            make
          '';

          installPhase = ''
            make DESTDIR=$out install
          '';

          meta = with pkgs.lib; {
            description = "Statically-linked SingularityCE 4.3.1 build";
            license = licenses.bsd2;
            platforms = platforms.linux;
          };
        };
      });
}

I have sandbox = false in /etc/nix/nix.conf and my user is part of the trusted-users.

Thanks