Wanted: Documentation on using sandbox with single-user install

[lilyball]

The documentation on the nix.conf sandbox option says that it requires Nix to run as root and that I need to use build-users-group accordingly.

The problem is, I have a single-user (Darwin) install, so I don't have any nix builder users, nor would I want them as the nix store is owned by my user account. The documentation on build-users-group says if it's unset it uses the uid of the Nix process, which is presumably not what I want (as that would be root, but I don't want to have root-owned paths in my nix store).

What I'd really like to see is some documentation somewhere of how to use sandbox with a single-user install. I'm trying to write up a PR for a package right now but I need to make sure that it works under the sandbox (e.g. I need to make sure any tests in the package aren't using the network).

[bhipple]

On a linux machine with user namespaces enabled, sandboxes work without issue in a single-user install if they're either set to true in the nix.conf option, or if someone passes --option sandbox true on the cmdline, as far as I'm aware. I'd imagine it's similar for Darwin?

[lilyball]

I tried --option sandbox true already without sudo, to see if it would work, and I get an error very early when the sandbox prevents accessing system frameworks:

> nix-build --option sandbox true . -A cargo-tree
[...]
Running cargo build --release 
dyld: Library not loaded: /System/Library/Frameworks/Security.framework/Versions/A/Security
  Referenced from: /nix/store/x2kky8fly7pvnpswj2rrcn68sbnx0ysr-cargo-1.32.0/bin/.cargo-wrapped
  Reason: no suitable image found.  Did find:
        /System/Library/Frameworks/Security.framework/Versions/A/Security: file system sandbox blocked stat()
        /System/Library/Frameworks/Security.framework/Versions/A/Security: file system sandbox blocked stat()
/nix/store/zchs18skjv75qg2iy0srwz1dvrrmfkv7-stdenv-darwin/setup: line 1319: 83417 Abort trap: 6           cargo build --release --frozen
builder for '/nix/store/rnwr0jbb5zmirvf13m15fyfzz7zz425c-cargo-tree-0.22.0.drv' failed with exit code 134
error: build of '/nix/store/rnwr0jbb5zmirvf13m15fyfzz7zz425c-cargo-tree-0.22.0.drv' failed

[lilyball]

Of course I don't know if this would work in a multi-user install using sudo either, but I would have to assume that it's supposed to.

[LnL7]

I think the statement about root is indeed not correct for both linux and darwin. Sandboxing currently only works partially on darwin because of system frameworks, etc. but configuring it to be slightly less strict now works in a lot of cases

sandbox = true
extra-sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env

[stale[bot]]

I marked this as stale due to inactivity. → More info

[stale[bot]]

I closed this issue due to inactivity. → More info

[bobvanderlinden]

I think the statement about root is indeed not correct for both linux and darwin. Sandboxing currently only works partially on darwin because of system frameworks, etc. but configuring it to be slightly less strict now works in a lot of cases

sandbox = true
extra-sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env

Is this still the case? Should this be the default upon I stalling nix on osx?