Nix 2.12+ allows writing to the sandbox's /etc #7813
Description
Steps To Reproduce
$ nix-build -E 'derivation { name = "test"; builder = "/bin/sh"; args = [ "-c" ": > /etc/test" ]; system = builtins.currentSystem; }'
this derivation will be built:
/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv
building '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv'...
error: builder for '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv' failed to produce output path for output 'out' at '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv.chroot/nix/store/mf3k9v1ph0s43cdq8wqcwhlpa52s41an-test'
Expected behavior
$ nix-build -E 'derivation { name = "test"; builder = "/bin/sh"; args = [ "-c" ": > /etc/test" ]; system = builtins.currentSystem; }'
this derivation will be built:
/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv
building '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv'...
sh: can't create /etc/test: Permission denied
builder for '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv' failed with exit code 1
error: build of '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv' failed
nix-env --version output
nix-env (Nix) 2.12.0
Additional context
Introduced by #3600.
This is extremely problematic, as it makes it easy to miss packages trying to install files that will be discarded after the build. For example, NixOS/nixpkgs#214086 missed that the package now installs files into /etc. As long as OfBorg/Hydra are running affected Nix versions, we'll be unknowingly adding broken packages to Nixpkgs that won't build any more after this bug is fixed.
Priorities
Add 👍 to issues you find important.