Skip to content

Nix terminates with uncaught exception of type nix::SysError: error: getting status of /etc/ssl/certs/ca-certificates.crt on Darwin with sandbox enabled #8485

Description

@al3xtjames

Describe the bug

After running into #7273 while running darwin-rebuild from nix-darwin, I tried deleting /nix/store/.links and rebuilding. darwin-rebuild then failed with the following error:

libc++abi: terminating with uncaught exception of type nix::SysError: error: getting status of /etc/ssl/certs/ca-certificates.crt: Operation not permitted
/private/tmp/nix-build-options-db.xml.drv-0/.attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90: line 10: 75243 Abort trap: 6           nix-instantiate --store dummy:// --eval --xml --strict --expr '{file}: builtins.fromJSON (builtins.readFile file)' --argstr file /nix/store/9pmqhvmmmjphfs0k3n51fdmxrrcb39mh-options.json > options.xml

Steps To Reproduce

  1. Enable the sandbox (I set nix.settings.sandbox = true in my flake, which sets sandbox = true in /etc/nix/nix.conf).
  2. Somehow reproduce "error: cannot link '/nix/store/.tmp-link' to '/nix/store/.links/...': File exists" #7273
  3. sudo rm -rf /nix/store/.links
  4. darwin-rebuild --flake .#

I'm not sure how to easily reproduce this since I only saw it after encountering #7273.

Expected behavior

darwin-rebuild should have succeeded.

nix-env --version output

nix-env (Nix) 2.13.3

Additional context

I see that Nix adds the cert bundle to the chroot on Linux here:

if (settings.caFile != "")
dirsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);

On Darwin, should Nix add it to the sandbox profile? Maybe like this (untested):

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index b0289ac75..8b679c12f 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2014,11 +2014,15 @@ void LocalDerivationGoal::runChild()
                     #include "sandbox-defaults.sb"
                     ;
 
-                if (!derivationType.isSandboxed())
+                if (!derivationType.isSandboxed()) {
                     sandboxProfile +=
                         #include "sandbox-network.sb"
                         ;
 
+                    if (settings.caFile != "")
+                        sandboxProfile += fmt("(allow file-read*\n\t(literal \"%s\")\n", settings.caFile);
+                }
+
                 /* Add the output paths we'll use at build-time to the chroot */
                 sandboxProfile += "(allow file-read* file-write* process-exec\n";
                 for (auto & [_, path] : scratchOutputs)

Priorities

Add 👍 to issues you find important.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions