From 7f90eac69bdad6126530dbea314e4b9e974a5d91 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Mon, 10 Jul 2023 08:37:18 +0100 Subject: [PATCH] src/libstore/globals.hh: disable sandbox fallback sandbox fallbacks is very dangerous as host's paths tend to leak into build sandbox all the time from default search paths like /usr/bin. On linux build sandbox should always be enabled. THere are various reasons why sandbox fails to be enabled: - missing 'mount' and 'pid' namespace support in the kernel - extra (usually read-only) /proc mounts on top of vanilla /proc Try to address these problems first before trying to disable the sandbox. --- src/libstore/globals.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/src/libstore/include/nix/store/globals.hh +++ b/src/libstore/include/nix/store/globals.hh @@ -521,2 +521,2 @@ public: Setting sandboxFallback{ - this, true, "sandbox-fallback", "Whether to disable sandboxing when the kernel doesn't allow it."}; + this, false, "sandbox-fallback", "Whether to disable sandboxing when the kernel doesn't allow it."};