Building with sandboxing

[Zimmi48]

How can we build with sandboxing using the Nix docker image? Could it be activated by default? I see in the NixOS 18.09 release notes that it's now activated by default. In Coq, we regularly break the sandboxed build of our default.nix because our CI (which uses the image defined here) does not detect this. Then we notice when we try the same thing on our own machines.

[zimbatm]

the nix sandboxing requires access to cgroups, which is not available under docker by default. The container would have to be executed with the --privileged flag. After than, add --option sandbox true to nix-build invocations. Or set sandbox=true in /etc/nix/nix.conf.

[Zimmi48]

Doing so on standard CI systems is either impossible or overly complicated. Would there be a way to have a "light" sandboxing mode which doesn't do what is impossible to do without access to cgroups but which still removes /bin/sh and /usr/bin/env and thus ensures that all scripts are correctly patched (in practice, these were the errors that were regularly introduced).

[zimbatm]

The only solution I can think of right now is to rm /bin /usr/bin/env from the container. All the commands are still available in /nix/var/nix/profiles/default/bin.