Running unpatched binaries by jailing them

  1. Since Nix is functional, unpatched binaries in NixOS tend to file not found miserably
  2. But despite being functional, there’s /run/current-system/sw

So I wondered: could the binary problem be solved by some jailing?

$ mkdir union
$ unionfs /:/run/current-system/sw:/nix/store/1mnsmslnx5anjfksac6417xfzzglrwhr-glibc-2.27/ union
$ chroot union

And indeed, some binaries started to work. But most others did not work, including some that did work before.

And yet, maybe a more intelligent (and nix-aware) sandbox could solve the binary problem?

Sounds like you are looking for buildFHSUserEnv.

I think it is possible to environment.pathsToLink = ["/lib"]; and then
symlink /var/run/current-system/sw/lib into /lib. (That’s will
probably result in tons of merge warnings, but should work.)

Sounds like you are looking for buildFHSUserEnv.

Also, if you are just looking to run some random binary, you could give
steam-run a try. It is basically buildFHSUserEnv wrapper with the
most commonly used libraries.

I should also note that the linking method is not very Nix-ish. It introduces impurity, and we prefer “file not found” error rather than a package working for some users and not others. (Due to wrong/absent patching and a combination of installed libraries.)

By the way, couldn’t the file not found be fixed by a phony So a user would have a clear error message.