Open fogti opened 1 year ago
what would nix do on bsd? build without sandbox?
see #if __FreeBSD__
or #elif __FreeBSD__
limitation: https://github.com/NixOS/patchelf/issues/36
see also: https://github.com/ployground/bsdploy
The Nix sandbox appears to be only supported on Linux and MacOS, and is only enabled by default on linux. I wouldn't care about the patchelf limitation that much, because I'll try to avoid patchelf where'ever possible anyways, and want to build pretty much everything from source, and also modify too large builds (split them into smaller ones)... https://github.com/NixOS/nix/blob/26c7602c390f8c511f326785b570918b2f468892/src/libstore/globals.hh#L450-L454
The most difficult part would be probably finding out how exactly chroot/jails need to be amended using account limits/restrictions and other such stuff so that executing arbitrary binaries is safe (that is, shouldn't be able to escape from the sandbox, and shouldn't be able to access files from the host besides those in the input closure, no access to network, and besides denial of service and kernel exploits shouldn't be able to otherwise disrupt system operation)
It would be very nice to be able to use this from FreeBSD, but there exists no OCI runtime ecosystem for FreeBSD, and afaik also no support in the OCI runtime spec... so a completely separate implementation on top of (probably) FreeBSD jails + account limits would be necessary. An additional complication is that:
afaik we can't ensure that restriction at all. A user can submit arbitrary executables to be executed in the sandboxed environment, and restricting the access inside the jail to an unprivileged user also seems non-trivial. I think additional account limits, at least outside of the jail (maybe also inside?) are necessary. And a bit of research to harden that.