search

Mic92 / nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs
MIT License
381 stars 63 forks source link

Add bubblewrap sandbox #239

Closed thiagokokada closed 2 years ago

thiagokokada commented 2 years ago

Fixes https://github.com/Mic92/nixpkgs-review/issues/235.

This PR adds a sandbox based on bubblewrap.

Experimental and lacking tests. But I think that opening a PR will allow early feedback.

thiagokokada commented 2 years ago

Add some basic tests. They're not very good (basically a copy of the test_pr_local_eval with --sandbox being set), but at least should ensure that the feature doesn't break.

I think the PR is ready for review/merge now.

Mic92 commented 2 years ago

Seems to not quite work yet in my test:

% /nix/store/lp2yxfr37wy335b7c69d57rlk0281nmx-nixpkgs-review/bin/nixpkgs-review pr --sandbox 151077
$ git -c fetch.prune=false fetch --no-tags --force https://github.com/NixOS/nixpkgs master:refs/nixpkgs-review/0 pull/151077/head:refs/nixpkgs-review/1
$ git worktree add /home/joerg/.cache/nixpkgs-review/pr-151077-2/nixpkgs 100db36743794c9779284351d886d27f6c1a8097
Preparing worktree (detached HEAD 100db367437)
Updating files: 100% (29267/29267), done.
HEAD is now at 100db367437 Merge pull request #151058 from alyssais/runInLinuxVM-msize
$ git merge --no-commit --no-ff cf1895ec98a792752fc680bf93898ccc5b297c3b
Automatic merge went well; stopped before committing as requested
$ nix --experimental-features nix-command build --no-link --keep-going --option build-use-sandbox relaxed -f /home/joerg/.cache/nixpkgs-review/pr-151077-2/build.nix

Link to currently reviewing PR:
https://github.com/NixOS/nixpkgs/pull/151077

1 package built:
visidata

error: build log of '/nix/store/iyiyk6x3f5biab7cmfzpa0q4wxs0h2hj-visidata-2.8.drv' is not available
error: build log of '/nix/store/fbzly5dqk22j5635qm734v2rky75z6rh-visidata-2.8' is not available
Using sandbox mode. Some things may break!
$ /nix/store/nd32vqsm9m7y6rc98far5jicgd5n60za-bubblewrap-0.5.0/bin/bwrap --die-with-parent --unshare-cgroup --unshare-ipc --unshare-uts --ro-bind / / --dev-bind /dev /dev --tmpfs /tmp --dev-bind-try /run/user/1000 /run/user/1000 --tmpfs /run/media/joerg --tmpfs /home/joerg --bind /home/joerg/git/nixpkgs /home/joerg/git/nixpkgs --bind /home/joerg/.cache/nixpkgs-review/pr-151077-2 /home/joerg/.cache/nixpkgs-review/pr-151077-2 --ro-bind-try /home/joerg/.config/nixpkgs /home/joerg/.config/nixpkgs --ro-bind-try /tmp/.X11-unix /tmp/.X11-unix --ro-bind-try /home/joerg/.Xauthority /home/joerg/.Xauthority --ro-bind-try /home/joerg/.config/hub /home/joerg/.config/hub --ro-bind-try /home/joerg/.config/gh /home/joerg/.config/gh -- /nix/store/n8x6ig1yf8ffpa07mwvxg6b7ilrrvfy1-nix-2.4/bin/nix-shell /home/joerg/.cache/nixpkgs-review/pr-151077-2/shell.nix
bwrap: Can't mkdir parents for /run/media/joerg: Read-only file system
$ git worktree prune
/nix/store/lp2yxfr37wy335b7c69d57rlk0281nmx-nixpkgs-review/bin/nixpkgs-review  6,19s user 6,27s system 76% cpu 16,239 total
$ mount
devtmpfs on /dev type devtmpfs (rw,nosuid,size=808908k,nr_inodes=2017518,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=3,mode=620,ptmxmode=666)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,size=8089052k)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=4044528k,mode=755)
none on /run/keys type ramfs (rw,nosuid,nodev,relatime,mode=750)
tmpfs on /run/wrappers type tmpfs (rw,nodev,relatime,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
zroot/root/nixos on / type zfs (rw,relatime,xattr,noacl)
zroot/root/nixos on /nix/store type zfs (ro,relatime,xattr,noacl)
none on /run/secrets.d type ramfs (ro,nosuid,nodev,relatime,mode=751)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
zroot/root/tmp on /tmp type zfs (rw,relatime,xattr,posixacl)
zroot/root/home on /home type zfs (rw,relatime,xattr,posixacl)
zroot/root/home on /home/joerg/Musik/podcasts type zfs (rw,relatime,xattr,posixacl)
/dev/nvme0n1p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
tracefs on /sys/kernel/debug/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1617808k,nr_inodes=404452,mode=700,uid=1000,gid=100)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
bill:git/phd-thesis on /home/joerg/mnt/bill type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
Mic92 commented 2 years ago

Unfortunately same issue:

╭─[~/git/nixpkgs]─[main]──[bubblewrap]─[17s]
╰─ % /nix/store/kr17dhsabppm33y0cz6jsm0x942d73l7-nixpkgs-review/bin/nixpkgs-review pr --sandbox 151077
$ git -c fetch.prune=false fetch --no-tags --force https://github.com/NixOS/nixpkgs master:refs/nixpkgs-review/0 pull/151077/head:refs/nixpkgs-review/1
$ git worktree add /home/joerg/.cache/nixpkgs-review/pr-151077-5/nixpkgs 5e939c2929d29e773dbc33ae7f0457634bf8f10f
Preparing worktree (detached HEAD 5e939c2929d)
Updating files: 100% (29267/29267), done.
HEAD is now at 5e939c2929d Merge pull request #151063 from LeSuisse/graylog-3.3.16
$ git merge --no-commit --no-ff cf1895ec98a792752fc680bf93898ccc5b297c3b
Automatic merge went well; stopped before committing as requested
$ nix --experimental-features nix-command build --no-link --keep-going --option build-use-sandbox relaxed -f /home/joerg/.cache/nixpkgs-review/pr-151077-5/build.nix

Link to currently reviewing PR:
https://github.com/NixOS/nixpkgs/pull/151077

1 package built:
visidata

error: build log of '/nix/store/iyiyk6x3f5biab7cmfzpa0q4wxs0h2hj-visidata-2.8.drv' is not available
error: build log of '/nix/store/fbzly5dqk22j5635qm734v2rky75z6rh-visidata-2.8' is not available
Using sandbox mode. Some things may break!
$ /nix/store/nd32vqsm9m7y6rc98far5jicgd5n60za-bubblewrap-0.5.0/bin/bwrap --die-with-parent --unshare-cgroup --unshare-ipc --unshare-uts --ro-bind / / --dev-bind /dev /dev --dir /tmp --tmpfs /tmp --dev-bind-try /run/user/1000 /run/user/1000 --dir /run/media/joerg --tmpfs /run/media/joerg --dir /home/joerg --tmpfs /home/joerg --bind /home/joerg/git/nixpkgs /home/joerg/git/nixpkgs --bind /home/joerg/.cache/nixpkgs-review/pr-151077-5 /home/joerg/.cache/nixpkgs-review/pr-151077-5 --ro-bind-try /home/joerg/.config/nixpkgs /home/joerg/.config/nixpkgs --ro-bind-try /tmp/.X11-unix /tmp/.X11-unix --ro-bind-try /home/joerg/.Xauthority /home/joerg/.Xauthority --ro-bind-try /home/joerg/.config/hub /home/joerg/.config/hub --ro-bind-try /home/joerg/.config/gh /home/joerg/.config/gh -- /nix/store/n8x6ig1yf8ffpa07mwvxg6b7ilrrvfy1-nix-2.4/bin/nix-shell /home/joerg/.cache/nixpkgs-review/pr-151077-5/shell.nix
bwrap: Can't mkdir parents for /run/media/joerg: Read-only file system
$ git worktree prune
/nix/store/kr17dhsabppm33y0cz6jsm0x942d73l7-nixpkgs-review/bin/nixpkgs-review  4,19s user 5,25s system 76% cpu 12,303 total
thiagokokada commented 2 years ago

Removed the /run/media/{user} tmpfs since it is unnecessary (it just exposes maybe some mounted filesystems).

thiagokokada commented 2 years ago

CC @Mic92 .

Mic92 commented 2 years ago

Thanks!