Skip to content

rsync: fix tests in Darwin sandbox#431202

Merged
emilazy merged 1 commit intoNixOS:stagingfrom
emilazy:push-uqppyspqwlqp
Aug 16, 2025
Merged

rsync: fix tests in Darwin sandbox#431202
emilazy merged 1 commit intoNixOS:stagingfrom
emilazy:push-uqppyspqwlqp

Conversation

@emilazy
Copy link
Member

@emilazy emilazy commented Aug 5, 2025

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 501-1000 This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Aug 5, 2025
@nix-owners nix-owners bot requested a review from ivan August 5, 2025 15:26
Copy link
Contributor

@al3xtjames al3xtjames left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks cleaner than my attempt. Thanks!

BTW, it should be possible to readd fakeroot to checkInputs (on line 56) after #427036. This should allow the chown and device tests to pass (they're skipped without it, IIRC). fakeroot also needs to set propagatedSandboxProfile allow System V IPC on Lix, since it's not allowed in the default sandbox profile.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 15, 2025
@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2025

Honestly, I would rather do less fakeroot than more. It’s pretty cursed. I’d like to get to the point where sandbox = true can build things reliably enough to be on by default, through improvements in both the default sandbox profile and in Nixpkgs, since sandbox profiles in derivations are a huge hole in the security model. NixOS/nix#10878 seems like a mistake to me, as it is yet another side channel for derivation builds to communicate with each other and the outside world:

{
  runCommandCC,
  role,
}:
    
let
  src = ''
    #include <stdlib.h>
    #include <string.h>
    #include <stdio.h>
    #include <sys/ipc.h>
    #include <sys/msg.h>

    struct message {
        long type;
        char text[64];
    };

    int main(int argc, char **argv)
    {
        int queue = msgget(1234, IPC_CREAT | 0666);
        if (strcmp(argv[1], "server") == 0) {
            if (msgsnd(queue, &(struct message){
                .type = 1,
                .text = "hi",
            }, sizeof("hi"), 0) < 0) abort();
        } else {
            struct message m;
            if (msgrcv(queue, &m, 64, 1, 0) < 0) abort();
            puts(m.text);
        }
    }
  '';
in

runCommandCC "sysv-ipc-test" {
  sandboxProfile = "(allow ipc-sysv*)";
} ''
  cc ${builtins.toFile "test.c" src}
  ./a.out ${role}
''

It looks like fakeroot can be used with loopback TCP, which should work in combination with __darwinAllowLocalNetworking, but it would really be ideal if it could use Unix sockets instead… but I’d still lean towards less test coverage over fakeroot in many cases, since you’re not exactly testing against the real operating system API.

@emilazy emilazy force-pushed the push-uqppyspqwlqp branch from 8bb1640 to fea9101 Compare August 16, 2025 02:12
@ofborg ofborg bot added the 6.topic: darwin Running or building packages on Darwin label Aug 16, 2025
@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2025

Switched to git format-patch format; merging.

@emilazy emilazy enabled auto-merge August 16, 2025 02:13
@emilazy emilazy merged commit d121fa8 into NixOS:staging Aug 16, 2025
25 of 29 checks passed
@emilazy emilazy deleted the push-uqppyspqwlqp branch August 16, 2025 02:20
@al3xtjames
Copy link
Contributor

Yeah, that makes sense - that example is pretty illustrative. It seems like patching tests which fail in the sandbox (or disabling them, if that's not possible) should be preferred to setting a sandboxProfile. I'll update my open PRs to do this.

@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2025

I think it depends – there are some cases where there doesn’t seem to be any good reason not to allow access to something by default (e.g. the OS‐provided fonts, to allow CoreText‐using tests to work), and in that case I think the default sandbox profile should be fixed but that it’s fine to use sandboxProfile to work around it in the meantime. However I would like to move in a direction of the macOS sandbox being an actual security/isolation boundary of some sort, and not allowing communication unless we really have to is a sensible part of that. Currently builds can still access the global /tmp, but I am hoping we can gradually fix that.

Feel free to ping me on macOS sandbox–related PRs, though my responsiveness is unreliable so no need to block on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

6.topic: darwin Running or building packages on Darwin 10.rebuild-darwin: 501-1000 This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants