-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sandboxed builds with many sandbox rules fail on Darwin #2311
Comments
Ping @copumpkin, @LnL7. |
Wondering if this would still happen if we stopped doing as much "codegen" and started moving towards a more "data + code" sandbox design, as I've talked about in the past. That is, we'd factor out the common sandbox patterns into scheme on the sandbox side, rather than C++ on the Nix side. My understanding is that the scheme translates to a sort of bytecode that then gets sent to the kernel, and there's a branch destination limit in the encoding of that bytecode, so jumps that are too long fail as above. If there isn't all that much actual code that would stop the error from arising. |
As an easier workaround (but a workaround nonetheless) I think you should be able to pass |
Ah, did not know that. Thanks for the hint. |
Just ran into this today. Could run Ended up doing |
Has path length issues. See NixOS/nix#2311
I'm experiencing this as well. Any idea what it would take to fix it (so that we don't have to disable sandboxing)? |
I marked this as stale due to inactivity. → More info |
This is still relevant |
Same as #4119 |
Still relevant for me on arch |
I marked this as stale due to inactivity. → More info |
Looks like this hasn’t been fixed yet |
It seems like most of the macOS sandbox issues have been resolved, except for the 64K sandbox program limit. Here we enable the sandbox, but in order to work around this limit, we add `/nix/store` to the allowed paths by default. (Presumably the sandbox compiler is smart enough to replace multiple `/nix/store/...` paths with a single `/nix/store` parent path.) This is less than optimal, but much safer than disabling the sandbox entirely, and probably safer than disabling the sandbox on a per-package, as-needed basis, as well. Ref: NixOS/nix#4119 (comment) Also see: NixOS/nixpkgs#346945 NixOS/nix#6836 NixOS/nix#4119 amarshall/home-manager@d7319b7 NixOS/nixpkgs#366245 NixOS/nix#2311 Signed-off-by: Drew Hess <[email protected]>
I am using Nix on macOS and I have sandboxed builds enabled. When I build texlive derivations using the
texlive.combine
function, the build can fail with this message:My guess is that this is caused by the sandbox profile containing too many rules. Disabling sandboxing and restarting
nix-daemon
causes the build to succeed. This is also currently my workaround: disable sandboxing whenever something fails like this, then reenable.A better solution would probably be to check the length of the sandbox profile (somewhere around here in
build.cc
I guess) and fall back to a simpler profile automatically. How do you guys feel about this? I am willing to help getting this solved.The text was updated successfully, but these errors were encountered: