Add sandboxed building for FreeBSD using jails

src/libstore/meson.build

@@ -151,6 +151,12 @@ endif
 configdata_priv.set('HAVE_SECCOMP', seccomp.found().to_int())
 deps_private += seccomp
 
+if host_machine.system() == 'freebsd'
+  # libjail is not in freebsd.libc, but there's no discovery mechanism
+  libjail = declare_dependency(link_args : [ '-ljail' ])
+  deps_other += libjail
+endif
+
 nlohmann_json = dependency('nlohmann_json', version : '>= 3.9')
 deps_public += nlohmann_json
 

src/libstore/package.nix

@@ -5,6 +5,7 @@
 
   unixtools,
   darwin,
+  freebsd,
 
   nix-util,
   boost,
@@ -16,6 +17,7 @@
   sqlite,
 
   busybox-sandbox-shell ? null,
+  pkgsStatic,
 
   # Configuration Options
 
@@ -65,6 +67,7 @@ mkMesonLibrary (finalAttrs: {
     sqlite
   ]
   ++ lib.optional stdenv.hostPlatform.isLinux libseccomp
+  ++ lib.optional stdenv.hostPlatform.isFreeBSD freebsd.libjail
   ++ lib.optional withAWS aws-crt-cpp;
 
   propagatedBuildInputs = [
@@ -79,6 +82,9 @@ mkMesonLibrary (finalAttrs: {
   ]
   ++ lib.optionals stdenv.hostPlatform.isLinux [
     (lib.mesonOption "sandbox-shell" "${busybox-sandbox-shell}/bin/busybox")
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isFreeBSD [
+    (lib.mesonOption "sandbox-shell" "${pkgsStatic.bash}/bin/bash")
   ];
 
   meta = {

src/libstore/unix/build/chroot-derivation-builder.cc

@@ -1,4 +1,4 @@
-#ifdef __linux__
+#if defined(__linux__) || defined(__FreeBSD__)
 
 namespace nix {
 
@@ -52,13 +52,16 @@ struct ChrootDerivationBuilder : virtual DerivationBuilderImpl
         return buildUser->getGID();
     }
 
+    virtual void extraChrootParentDirCleanup(const std::filesystem::path & chrootParentDir) {}
+
     void prepareSandbox() override
     {
         /* Create a temporary directory in which we set up the chroot
            environment using bind-mounts.  We put it in the Nix store
            so that the build outputs can be moved efficiently from the
            chroot to their final location. */
         std::filesystem::path chrootParentDir = store.toRealPath(drvPath) + ".chroot";
+        extraChrootParentDirCleanup(chrootParentDir);
         deletePath(chrootParentDir);
 
         /* Clean up the chroot directory automatically. */

src/libstore/unix/build/derivation-builder.cc

@@ -1276,13 +1276,22 @@ void DerivationBuilderImpl::runChild(RunChildArgs args)
             }
         }
 
+#if defined(__FreeBSD__)
+        /* Close all other file descriptors. This must happen before
+         * enterChroot for FreeBSD. */
+        unix::closeExtraFDs();
+#endif
+
         enterChroot();
 
         if (chdir(tmpDirInSandbox().c_str()) == -1)
             throw SysError("changing into %1%", PathFmt(tmpDir));
 
-        /* Close all other file descriptors. */
+#if !defined(__FreeBSD__)
+        /* Close all other file descriptors. This must happen after
+         * enterChroot for Linux. */
         unix::closeExtraFDs();
+#endif
 
         /* Disable core dumps by default. */
         struct rlimit limit = {0, RLIM_INFINITY};
@@ -1969,6 +1978,7 @@ StorePath DerivationBuilderImpl::makeFallbackPath(const StorePath & path)
 // FIXME: do this properly
 #include "chroot-derivation-builder.cc"
 #include "linux-derivation-builder.cc"
+#include "freebsd-derivation-builder.cc"
 #include "darwin-derivation-builder.cc"
 #include "external-derivation-builder.cc"
 
@@ -2031,6 +2041,11 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
         return std::make_unique<ChrootLinuxDerivationBuilder>(store, std::move(miscMethods), std::move(params));
 
     return std::make_unique<LinuxDerivationBuilder>(store, std::move(miscMethods), std::move(params));
+#elif defined(__FreeBSD__)
+    if (useSandbox)
+        return std::make_unique<ChrootFreeBSDDerivationBuilder>(store, std::move(miscMethods), std::move(params));
+
+    return std::make_unique<FreeBSDDerivationBuilder>(store, std::move(miscMethods), std::move(params));
 #else
     if (useSandbox)
         throw Error("sandboxing builds is not supported on this platform");