Skip to content

lowdown: disable sandbox on x86_64-darwin#346933

Closed
reckenrode wants to merge 1 commit intoNixOS:masterfrom
reckenrode:push-ormxsrlloonl
Closed

lowdown: disable sandbox on x86_64-darwin#346933
reckenrode wants to merge 1 commit intoNixOS:masterfrom
reckenrode:push-ormxsrlloonl

Conversation

@reckenrode
Copy link
Contributor

@reckenrode reckenrode commented Oct 6, 2024
edited
Loading

After #346043, lowdown will also try to use the sandbox on x86_64-darwin, which won’t work. It fixes the following error in installCheckPhase.

sandbox initialization failed: Operation not permitted
lowdown: sandbox_init: Operation not permitted

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@reckenrode reckenrode marked this pull request as ready for review October 6, 2024 19:47
@reckenrode reckenrode mentioned this pull request Oct 6, 2024
Merged
52 tasks
@ofborg ofborg bot added the 6.topic: darwin Running or building packages on Darwin label Oct 6, 2024
@ofborg ofborg bot requested a review from sternenseemann October 6, 2024 20:36
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Oct 6, 2024
@emilazy emilazy mentioned this pull request Oct 6, 2024
Merged
13 tasks
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Oct 7, 2024
@reckenrode
Copy link
Contributor Author

reckenrode commented Oct 7, 2024

@emilazy Thoughts on how to proceed? Yours is arguably the more robust approach (because it preserves the sandbox mode for users). Is it worth preparing ahead of #346043, or wait for yours?

@emilazy
Copy link
Member

emilazy commented Oct 7, 2024

If you’re happy with my approach, then I’d personally prefer it over this PR. I just didn’t want to rush a self‐merge, though it does already have an approval.

I don’t mind this PR as a stop‐gap, either, since it’s already doing the bad thing on aarch64-darwin. But I’d personally prefer to take the opportunity to do the right thing here.

@reckenrode reckenrode closed this in dc32d18 Oct 8, 2024
@reckenrode reckenrode deleted the push-ormxsrlloonl branch October 8, 2024 00:29
@reckenrode
Copy link
Contributor Author

reckenrode commented Oct 8, 2024

Since you got approvals for your approach, I went ahead and committed it.

wrbbz pushed a commit to wrbbz/nixpkgs that referenced this pull request Oct 9, 2024
@emilazy
lowdown: add flag to disable the Darwin sandbox
a9be53d 
This is a program written in a memory‐unsafe language that processes
potentially‐untrusted user input. We shouldn’t disable upstream’s
sandboxing mechanisms for all downstream consumers without good
reason.

Although the sandbox API is officially marked as deprecated, it is
used as the basis for the supported App Sandbox and it is extremely
unlikely to ever be removed as it is used extensively throughout
the OS for service hardening and by third parties like the Chrome
sandbox. Nix itself uses it to sandbox builds, and its lack of support
for nesting is why this caused problems in the first place. Instead,
introduce a `lowdown-unsandboxed` package that can be used in the
`nativeBuildInputs` of Nix builds, while keeping the sandboxed
version of the program for general use. The name might not be ideal,
as it remains identical to `lowdown` on non‐Darwin platforms,
but I couldn’t think of a better one.

See: NixOS#125004
Closes: NixOS#346933
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@sternenseemann sternenseemann Awaiting requested review from sternenseemann

Assignees

No one assigned

Labels

6.topic: darwin Running or building packages on Darwin 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@reckenrode @emilazy @SuperSandro2000 @wegank