Running unpatched binaries by jailing them

suhr · December 20, 2018, 7:13pm

Since Nix is functional, unpatched binaries in NixOS tend to file not found miserably
But despite being functional, there’s /run/current-system/sw

So I wondered: could the binary problem be solved by some jailing?

$ mkdir union
$ unionfs /:/run/current-system/sw:/nix/store/1mnsmslnx5anjfksac6417xfzzglrwhr-glibc-2.27/ union
$ chroot union

And indeed, some binaries started to work. But most others did not work, including some that did work before.

And yet, maybe a more intelligent (and nix-aware) sandbox could solve the binary problem?

timokau · December 20, 2018, 7:20pm

Sounds like you are looking for buildFHSUserEnv.

rasendubi · December 21, 2018, 12:55am

I think it is possible to environment.pathsToLink = ["/lib"]; and then
symlink /var/run/current-system/sw/lib into /lib. (That’s will
probably result in tons of merge warnings, but should work.)

Sounds like you are looking for buildFHSUserEnv.

Also, if you are just looking to run some random binary, you could give
steam-run a try. It is basically buildFHSUserEnv wrapper with the
most commonly used libraries.

rasendubi · December 21, 2018, 1:03am

I should also note that the linking method is not very Nix-ish. It introduces impurity, and we prefer “file not found” error rather than a package working for some users and not others. (Due to wrong/absent patching and a combination of installed libraries.)

suhr · December 21, 2018, 3:41am

By the way, couldn’t the file not found be fixed by a phony ld-linux.so? So a user would have a clear error message.