Nixpkgs that need --no-sandbox

I’m trying to add a P4 switch (networking component) package to nixpkgs which only passes unit tests without the sandbox enabled (i.e. nix-build --no-sandbox ....). Is there a way to specify in the default.nix file for the package to build without the sandbox? (Or is there a completely different / better way to fix this?)

If you can not make the tests pass because of the sandbox, remove the failing tests, or ignore them, whatever is appropriate in the test framework used.

If its just too many of them disable the checkPhase.

Also, on newer nixes (2.8+) there is is a __* attribute, to disable the sandbox for individual derivations if I recall correctly. Though I do not think those will be accepted into nixpkgs

Hmm I think I found the attribute: nix.conf - Nix Reference Manual

Just building it now to check if it’s honoured.

I think having to choose between ensuring unit tests pass and disabling the sandbox, I would have to go with the unit tests. Given the components are pretty new and experimental, I think it is critical for the unit tests to be run and pass, otherwise users may be chasing their tails trying to use a broken package.

Nope thats a configuration option.

Though I just checked the most recent release notes, the attribute I had in mind was not about the sandbox but impure derivations:

You are right. I’ll have a look at the code and see if there is a way to make it work without disabling the sandbox.

If the package is for your own personal/organizational use then sure, that might be true.

However the sandbox is a critical assumption of nixpkgs’ organizational processes. Reviewers don’t check PRs for “if merged, could the build script inject malware into other build products on Hydra?” If they had to audit for that I think nixpkgs would probably go stale in short order.

You were probably thinking of the derivation attribute __noChroot (follow @wmarais’s link and scroll down further).

I find the terminology around nix’s sandbox to be maddeningly inconsistent. In some places it is called the “sandbox”, in other places it is called “chroot”. And then there is “syscall filtering” which nix treats as being totally orthogonal to the sandbox, but without which you can defeat the sandbox, so it’s clearly part of sandboxing but not part of “the sandbox”. Argh. I am glad I’m not in a situation where I have to explain this to customers/management/higher-ups, although since it’s security-critical I have to assume that other people are in that situation.

You’re in for a treat.

When I dug into the nix source code a while back I discovered that “the sandbox is enabled” isn’t all or nothing, there are various levels of sandboxing that are enabled or disabled based on which Linux APIs (namespaces, ptraces, etc) nix was succesful in invoking. Sometimes some of those will fail and nix will silently proceed with only partial sandboxing.

Thanks @amjoseph. Ha! I was wondering what the difference was, if any, between sandbox and chroot in nix, did not even know about the syscall filtering, but it makes sense. :smiley:

I did not mean the nix source, I meant the package source that I am trying to build (its, not my code). Though, I think I will probably just do something along the lines of what @NobbZ suggested and disable those unit tests. (Specifically, I am thinking of writing a bit of script to detect if it’s being compiled in the sandbox, and if so then disable the tests, and if not enable the tests. That way I can still configure my nixos install to disable sandboxing for those systems without angering Hydra.)

Your best bet here is to examine /bin/sh. The sandbox has to redirect that in order to implement POSIX’s system(3). For example:

with import /nix/nixpkgs { };
stdenv.mkDerivation {
  name = "demo";
  dontUnpack = true;
  nativeBuildDependencies = [ pkgs.coreutils ];
  buildPhase = ''
  ${pkgs.coreutils}/bin/md5sum /bin/sh
  dontInstall = true;

Put the above in demo.nix and try

nix-build demo.nix --option sandbox false
nix-build demo.nix --option sandbox true

You’ll get different hashes.

1 Like