Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sandboxed builds with many sandbox rules fail on Darwin #2311

Open
mroi opened this issue Jul 27, 2018 · 12 comments
Open

sandboxed builds with many sandbox rules fail on Darwin #2311

mroi opened this issue Jul 27, 2018 · 12 comments
Labels
macos Nix on macOS, aka OS X, aka darwin stale

Comments

@mroi
Copy link

mroi commented Jul 27, 2018

I am using Nix on macOS and I have sandboxed builds enabled. When I build texlive derivations using the texlive.combine function, the build can fail with this message:

these derivations will be built:
  /nix/store/1sjfz02piyqgplvmw8xdxz8gfaka1brj-texlive-combined-2017.drv
building '/nix/store/1sjfz02piyqgplvmw8xdxz8gfaka1brj-texlive-combined-2017.drv'...
Assertion failed: (diff <= INSTR_JUMP_NE_MAX_LENGTH), function push_jne_instr, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/Sandbox/Sandbox-851.200.128.41.1/src/compiler/patterns/serialize.c, line 186.
builder for '/nix/store/1sjfz02piyqgplvmw8xdxz8gfaka1brj-texlive-combined-2017.drv' failed due to signal 6 (Abort trap: 6)
error: build of '/nix/store/1sjfz02piyqgplvmw8xdxz8gfaka1brj-texlive-combined-2017.drv' failed

My guess is that this is caused by the sandbox profile containing too many rules. Disabling sandboxing and restarting nix-daemon causes the build to succeed. This is also currently my workaround: disable sandboxing whenever something fails like this, then reenable.

A better solution would probably be to check the length of the sandbox profile (somewhere around here in build.cc I guess) and fall back to a simpler profile automatically. How do you guys feel about this? I am willing to help getting this solved.

@domenkozar domenkozar added the macos Nix on macOS, aka OS X, aka darwin label Jul 27, 2018
@edolstra
Copy link
Member

Ping @copumpkin, @LnL7.

@copumpkin
Copy link
Member

copumpkin commented Jul 27, 2018

Wondering if this would still happen if we stopped doing as much "codegen" and started moving towards a more "data + code" sandbox design, as I've talked about in the past. That is, we'd factor out the common sandbox patterns into scheme on the sandbox side, rather than C++ on the Nix side.

My understanding is that the scheme translates to a sort of bytecode that then gets sent to the kernel, and there's a branch destination limit in the encoding of that bytecode, so jumps that are too long fail as above. If there isn't all that much actual code that would stop the error from arising.

@lheckemann
Copy link
Member

Disabling sandboxing and restarting nix-daemon causes the build to succeed

As an easier workaround (but a workaround nonetheless) I think you should be able to pass --no-sandbox on the command line as long as you're root or listed in trusted-users.

@mroi
Copy link
Author

mroi commented Aug 13, 2018

Ah, did not know that. Thanks for the hint.

@angerman
Copy link
Contributor

angerman commented Jan 8, 2020

Just ran into this today. Could run nix-build with --option sandbox true and build it successfully nor with --option sandbox false, due to some cc tools confusion.

Ended up doing --option sandbox true and then nix-build those failing derivations by hand. Not idea. If anyone iwth some more insight has a TODO list of items to be done to get sandboxes working properly on macOS, let me know!

dhess added a commit to dhess/dhess-nix-darwin that referenced this issue Feb 18, 2020
Has path length issues. See NixOS/nix#2311
@adrian-gierakowski
Copy link

I'm experiencing this as well. Any idea what it would take to fix it (so that we don't have to disable sandboxing)?

@stale
Copy link

stale bot commented Feb 13, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Feb 13, 2021
@adrian-gierakowski
Copy link

This is still relevant

@stale stale bot removed the stale label Feb 13, 2021
@domenkozar
Copy link
Member

Same as #4119

@aviallon
Copy link

aviallon commented Jan 4, 2022

Still relevant for me on arch

@stale
Copy link

stale bot commented Jul 10, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Jul 10, 2022
@adrian-gierakowski
Copy link

Looks like this hasn’t been fixed yet

@stale stale bot removed the stale label Jul 10, 2022
@stale stale bot added the stale label Jan 8, 2023
dhess added a commit to hackworthltd/hacknix that referenced this issue Jan 14, 2025
It seems like most of the macOS sandbox issues have been resolved,
except for the 64K sandbox program limit.

Here we enable the sandbox, but in order to work around this limit, we
add `/nix/store` to the allowed paths by default. (Presumably the
sandbox compiler is smart enough to replace multiple `/nix/store/...`
paths with a single `/nix/store` parent path.)

This is less than optimal, but much safer than disabling the sandbox
entirely, and probably safer than disabling the sandbox on a
per-package, as-needed basis, as well.

Ref:
NixOS/nix#4119 (comment)

Also see:

NixOS/nixpkgs#346945
NixOS/nix#6836
NixOS/nix#4119
amarshall/home-manager@d7319b7
NixOS/nixpkgs#366245
NixOS/nix#2311

Signed-off-by: Drew Hess <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
macos Nix on macOS, aka OS X, aka darwin stale
Projects
None yet
Development

No branches or pull requests

8 participants