Skip to content

lowdown: disable sandbox on x86_64-darwin #346933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

lowdown: disable sandbox on x86_64-darwin #346933

wants to merge 1 commit into from

Conversation

reckenrode
Copy link
Contributor

@reckenrode reckenrode commented Oct 6, 2024
edited
Loading

After #346043, lowdown will also try to use the sandbox on x86_64-darwin, which won’t work. It fixes the following error in installCheckPhase.

sandbox initialization failed: Operation not permitted
lowdown: sandbox_init: Operation not permitted

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@reckenrode reckenrode marked this pull request as ready for review October 6, 2024 19:47
@reckenrode reckenrode mentioned this pull request Oct 6, 2024
Merged
52 tasks
@ofborg ofborg bot added the 6.topic: darwin Running or building packages on Darwin label Oct 6, 2024
@ofborg ofborg bot requested a review from sternenseemann October 6, 2024 20:36
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 6, 2024
@emilazy emilazy mentioned this pull request Oct 6, 2024
Merged
13 tasks
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Oct 7, 2024
@reckenrode
Copy link
Contributor Author

@emilazy Thoughts on how to proceed? Yours is arguably the more robust approach (because it preserves the sandbox mode for users). Is it worth preparing ahead of #346043, or wait for yours?

@emilazy
Copy link
Member

emilazy commented Oct 7, 2024

If you’re happy with my approach, then I’d personally prefer it over this PR. I just didn’t want to rush a self‐merge, though it does already have an approval.

I don’t mind this PR as a stop‐gap, either, since it’s already doing the bad thing on aarch64-darwin. But I’d personally prefer to take the opportunity to do the right thing here.

@reckenrode reckenrode closed this in dc32d18 Oct 8, 2024
@reckenrode reckenrode deleted the push-ormxsrlloonl branch October 8, 2024 00:29
@reckenrode
Copy link
Contributor Author

Since you got approvals for your approach, I went ahead and committed it.

wrbbz pushed a commit to wrbbz/nixpkgs that referenced this pull request Oct 9, 2024
@emilazy
lowdown: add flag to disable the Darwin sandbox
a9be53d 
This is a program written in a memory‐unsafe language that processes
potentially‐untrusted user input. We shouldn’t disable upstream’s
sandboxing mechanisms for all downstream consumers without good
reason.

Although the sandbox API is officially marked as deprecated, it is
used as the basis for the supported App Sandbox and it is extremely
unlikely to ever be removed as it is used extensively throughout
the OS for service hardening and by third parties like the Chrome
sandbox. Nix itself uses it to sandbox builds, and its lack of support
for nesting is why this caused problems in the first place. Instead,
introduce a `lowdown-unsandboxed` package that can be used in the
`nativeBuildInputs` of Nix builds, while keeping the sandboxed
version of the program for general use. The name might not be ideal,
as it remains identical to `lowdown` on non‐Darwin platforms,
but I couldn’t think of a better one.

See: NixOS#125004
Closes: NixOS#346933
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@sternenseemann sternenseemann Awaiting requested review from sternenseemann

Assignees
No one assigned
Labels
6.topic: darwin Running or building packages on Darwin 10.rebuild-darwin: 101-500 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@reckenrode @emilazy @SuperSandro2000 @wegank