search

oxalica / rust-overlay

Pure and reproducible nix overlay of binary distributed rust toolchains
MIT License
956 stars 56 forks source link

fix sandbox builds on ventura #149

Closed j-baker closed 10 months ago

j-baker commented 11 months ago

The Cargo bundled in this project links against the operating system's libcurl. This can be demonstrated with

$ otool -L $(which cargo)
/nix/store/s8rb4j0rh3wm66r4hmgj4axcic321bak-rust-default-1.73.0/bin/cargo:
    /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 60420.101.2)
    /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1971.0.0)
    /usr/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 9.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.100.3)

The system's libcurl dynamically depends on the system's libcrypto. On MacOS 14, this (at some point) opens /private/etc/ssl/openssl.cnf. With the Nix sandbox on, this fails the build with

       > 8082083840:error:02FFF001:system library:func(4095):Operation not permitted:/AppleInternal/Library/BuildRoots/0032d1ee-80fd-11ee-8227-6aecfccc70fe/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss_file.c:122:fopen('/private/etc/ssl/openssl.cnf', 'rb')
       > 8082083840:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/AppleInternal/Library/BuildRoots/0032d1ee-80fd-11ee-8227-6aecfccc70fe/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss_file.c:127:
       > 8082083840:error:0EFFF002:configuration file routines:CRYPTO_internal:system lib:/AppleInternal/Library/BuildRoots/0032d1ee-80fd-11ee-8227-6aecfccc70fe/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/conf/conf_def.c:202:
       For full logs, run 'nix log /nix/store/h05s2pzw6qb5m50njk0vr7j6cimhcxmj-foo.drv'.

as reported in https://github.com/oxalica/rust-overlay/issues/148.

This could be 'fixed' in three places.

  1. On the Apple side. This probably won't happen.
  2. Inside Nix, by changing the sandbox definition. I'd argue that since this bug isn't really reachable with 'normal' Nix binaries (where you would link against the Nix openssl) it's not the ideal place to make the change. Additionally, it adds a Nix version dependency on usage of this tool. This is discussed here: https://github.com/NixOS/nix/issues/9625. For users where I work, this is painful as we deploy Nix using Nix darwin, and by default deploy a module using the Rust overlay, so we get a chicken and egg problem as each dev updates to Ventura.
  3. Here. We can change the link to point to a nixpkgs version of libcurl rather than the OS provided version, and this avoids the MacOS libressl implementation. This feels right because it seems analogous to 'I tried to run a random binary on NixOS and it couldn't find /lib64/ld-linux-x86-64.so.2', traditionally a derivation author's responsibility.

I chose 3 as being likely the most pragmatic solution, so here we are!

After this MR, we have:

$ otool -L $(which cargo)
/nix/store/km3i2b7dqb1h2ayy2qg239266ixkzxgl-rust-default-1.75.0/bin/cargo:
    /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 60420.101.2)
    /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1971.0.0)
    /nix/store/c39qm57grkavw8a4hkramahpnspm1inq-curl-8.4.0/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 9.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.100.3)

In theory it might be more consistent/better to additionally replace the various other links with more nixy links, but I figured that the surgical approach was less intrusive at this time.

n8henrie commented 11 months ago

Thank you @j-baker!

I can confirm the patch fixes the issue for me, using my test flake from https://github.com/NixOS/nix/issues/9625:

$ nix build
error: builder for '/nix/store/d8nfiihbhdg75wwzifscghnjc6344s5r-foo.drv' failed with exit code 1;
       last 10 log lines:
       > Finished cargoSetupPostPatchHook
       > updateAutotoolsGnuConfigScriptsPhase
       > configuring
       > building
       > Executing cargoBuildHook
       > ++ env CC_AARCH64_APPLE_DARWIN=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/cc CXX_AARCH64_APPLE_DARWIN=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/c++ CARGO_TARGET_AARCH64_APPLE_DARWIN_LINKER=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/cc CC_AARCH64_APPLE_DARWIN=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/cc CXX_AARCH64_APPLE_DARWIN=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/c++ CARGO_TARGET_AARCH64_APPLE_DARWIN_LINKER=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/cc CARGO_BUILD_TARGET=aarch64-apple-darwin HOST_CC=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/cc HOST_CXX=/nix/store/zh206nri10wwp68g7qf9ccya1irynx5g-clang-wrapper-16.0.6/bin/c++ cargo build -j 8 --target aarch64-apple-darwin --frozen --profile release
       > Auto configuration failed
       > 8019775488:error:02FFF001:system library:func(4095):Operation not permitted:/AppleInternal/Library/BuildRoots/0032d1ee-80fd-11ee-8227-6aecfccc70fe/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss_file.c:122:fopen('/private/etc/ssl/openssl.cnf', 'rb')
       > 8019775488:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/AppleInternal/Library/BuildRoots/0032d1ee-80fd-11ee-8227-6aecfccc70fe/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/bio/bss_file.c:127:
       > 8019775488:error:0EFFF002:configuration file routines:CRYPTO_internal:system lib:/AppleInternal/Library/BuildRoots/0032d1ee-80fd-11ee-8227-6aecfccc70fe/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/conf/conf_def.c:202:
       For full logs, run 'nix log /nix/store/d8nfiihbhdg75wwzifscghnjc6344s5r-foo.drv'.
$
$ nix build \
    --override-input rust-overlay \
        github:j-baker/rust-overlay/647bff9f5e10d7f1756d86eee09831e6b1b06430
warning: not writing modified lock file of flake 'git+file:///private/var/folders/kb/tw_lp_xd2_bbv0hqk4m0bvt80000gn/T/tmp.TT1IrttYh8':
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/2b24e1f369f00f5ae9876e15e12f77e12c9c2374' (2023-12-29)
  → 'github:j-baker/rust-overlay/647bff9f5e10d7f1756d86eee09831e6b1b06430' (2023-12-29)
$ echo $?
0
j-baker commented 10 months ago

hi @oxalica , just wanted to see if this could get a review?

tolbrino commented 10 months ago

fwiw this patch works nicely for me as well

n8henrie commented 10 months ago

I'm also curious about thoughts on:

In theory it might be more consistent/better to additionally replace the various other links with more nixy links

and happy to help contribute / test here if thought to be a good idea.