search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.12k stars 14.15k forks source link

`patchShebangs` fails for paths located in `/nix/store` on sandboxed Darwin #343576

Open al3xtjames opened 1 month ago

al3xtjames commented 1 month ago

Describe the bug

Say that we have a script located in /nix/store, such as /nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello. Running patchShebangs against the script will invoke sed to patch the interpreter paths. sed -i will create a temporary file under the same parent directory as the input file; in this case, this is in /nix/store. sed fails with a permission error if the sandbox is enabled on Darwin:

patching script interpreter paths in /nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello
/nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello: interpreter directive changed from "#!/usr/bin/env bash" to "/nix/store/ym80z3f4nq5p8sp5vfch39x55x2rfwpz-bash-5.2p32/bin/bash"
sed: couldn't open temporary file /nix/store/sedOYQ2Wi: Operation not permitted

I believe this is due to the sandbox profile not allowing the creation of files under /nix/store. Running nix build with --debug dumps the sandbox profile: https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b#file-sandbox-log

I'm not sure if this should be treated a Nix/Lix bug and fixed by updating the sandbox profile or if it should be fixed in nixpkgs. patchShebangs could be updated to pass a temporary file to sed -i, which would avoid creating temporary files in /nix/store.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Observe the build fail with nix build 'git+https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b' --no-write-lock-file --debug --option sandbox true
  2. Observe the build succeed with nix build 'git+https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b' --no-write-lock-file --debug --option sandbox false

Expected behavior

The build should succeed with the sandbox enabled.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

I ran into this while rebuilding neovim, specifically while building neovim-ruby-env. gen-stubs-script uses a similar pattern with patchShebangs, which fails with the same permission error:

https://github.com/NixOS/nixpkgs/blob/757af60317783eb99089921e3f3855d3337b4138/pkgs/development/ruby-modules/bundled-common/functions.nix#L64-L73

Notify maintainers

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
fetching github input 'github:NixOS/nixpkgs/nixpkgs-unstable'
 - system: `"x86_64-darwin"`
 - host os: `Darwin 23.6.0, macOS 10.16`
 - multi-user?: `yes`
 - sandbox: `relaxed`
 - version: `nix-env (Lix, like Nix) 2.91.0
System type: x86_64-darwin
Additional system types:
Features: gc, signed-caches
System configuration file: /etc/nix/nix.conf
User configuration files: /Users/alex/.config/nix/nix.conf:/Users/alex/.nix-profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/alex/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix
Data directory: /nix/store/qxhix72k2armql0w8ypm6yb9k2nv3cjp-lix-2.91.0/share`
 - nixpkgs: `/nix/store/x76i82ichcxssszb5i0ppzlmffms9iyk-source`

Add a :+1: reaction to issues you find important.

svrana commented 1 month ago

patchSheBangs is generally run prior to copying the build artifacts to the nix store. Not sure what's going on in the code from the genStubScripts but it looks bugged to me.

al3xtjames commented 1 month ago

update-python-libraries uses the same pattern which fails in the sandbox: https://github.com/NixOS/nixpkgs/blob/b4071a961b6cce17d50a1b3ae7ceca0d8b3e88e5/pkgs/development/interpreters/python/update-python-libraries/default.nix#L11-L12

patching script interpreter paths in /nix/store/9m8896qp3q48vx0d2ggflxa1jp0zj50w-update-python-libraries
/nix/store/9m8896qp3q48vx0d2ggflxa1jp0zj50w-update-python-libraries: interpreter directive changed from "#!/usr/bin/env python3" to "/nix/store/5n69zg6yrzsdfq7rnwf917fnwr32ggf9-python3-3.12.5-env/bin/python3"
sed: couldn't open temporary file /nix/store/sed22FWjT: Operation not permitted
svrana commented 1 month ago

Reading the nixpkgs reference manual on mkDerivation-- and the fixup phase where autoPatchElf and patchSheBangs occurs after the files have been installed in the store. I think this means that the code samples listed here should work.

This is all to say I'm not sure why you'd be having a problem with either the code listings or the example you provide. I'm on Linux (sandbox enabled), but your flake example works just fine there (when adjusted for x86_64-linux).

al3xtjames commented 1 month ago

I haven't looked at the Linux sandbox code but AFAICT the Darwin sandbox profile only allows RW access to child directories of dependencies under /nix/store./nix/store itself only gets read access: https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b#file-sandbox-log-L183