From 7f90eac69bdad6126530dbea314e4b9e974a5d91 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Mon, 10 Jul 2023 08:37:18 +0100 Subject: [PATCH] src/libstore/globals.hh: disable sandbox fallback sandbox fallbacks is very dangerous as host's paths tend to leak into build sandbox all the time from default search paths like /usr/bin. On linux build sandbox should always be enabled. THere are various reasons why sandbox fails to be enabled: - missing 'mount' and 'pid' namespace support in the kernel - extra (usually read-only) /proc mounts on top of vanilla /proc Try to address these problems first before trying to disable the sandbox. --- a/lix/libstore/settings/sandbox-fallback.md +++ b/lix/libstore/settings/sandbox-fallback.md @@ -2,6 +2,6 @@ name: sandbox-fallback internalName: sandboxFallback type: bool -default: true +default: false --- Whether to disable sandboxing when the kernel doesn't allow it.