You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nix terminates with uncaught exception of type nix::SysError: error: getting status of /etc/ssl/certs/ca-certificates.crt on Darwin with sandbox enabled #8485
After running into #7273 while running darwin-rebuild from nix-darwin, I tried deleting /nix/store/.links and rebuilding. darwin-rebuild then failed with the following error:
libc++abi: terminating with uncaught exception of type nix::SysError: error: getting status of /etc/ssl/certs/ca-certificates.crt: Operation not permitted
/private/tmp/nix-build-options-db.xml.drv-0/.attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90: line 10: 75243 Abort trap: 6 nix-instantiate --store dummy:// --eval --xml --strict --expr '{file}: builtins.fromJSON (builtins.readFile file)' --argstr file /nix/store/9pmqhvmmmjphfs0k3n51fdmxrrcb39mh-options.json > options.xml
Steps To Reproduce
Enable the sandbox (I set nix.settings.sandbox = true in my flake, which sets sandbox = true in /etc/nix/nix.conf).
Describe the bug
After running into #7273 while running
darwin-rebuildfrom nix-darwin, I tried deleting/nix/store/.linksand rebuilding.darwin-rebuildthen failed with the following error:Steps To Reproduce
nix.settings.sandbox = truein my flake, which setssandbox = truein /etc/nix/nix.conf).sudo rm -rf /nix/store/.linksdarwin-rebuild --flake .#I'm not sure how to easily reproduce this since I only saw it after encountering #7273.
Expected behavior
darwin-rebuildshould have succeeded.nix-env --versionoutputAdditional context
I see that Nix adds the cert bundle to the chroot on Linux here:
nix/src/libstore/build/local-derivation-goal.cc
Lines 1780 to 1781 in bf7dc3c
On Darwin, should Nix add it to the sandbox profile? Maybe like this (untested):
Priorities
Add 👍 to issues you find important.