Chmod build root to make it read-only

[noamraph]

Motivation

Currently, building Nix itself fails in single-user installation - see https://github.com/NixOS/nix/issues/11295. This is because some build steps run something like mkdir -p $HOME/.cache, and since $HOME is /homeless-shelter and / is writable, the directory /homeless-shelter is created, which may cause the builder to fail.

This PR just runs a chmod on the build root directory prior to chroot, to make it read-only. This seems to solve the issue.

Context

• Bug report: https://github.com/NixOS/nix/issues/11295
• A PR that shows that building Nix fails in single-user installation: https://github.com/NixOS/nix/pull/11397
• A previous attempt at solving the issue, by using /proc/homeless-shelter instead of /homeless-shelter, which was reverted since it caused mkdir $HOME to fail with ENOENT instead of EPERM, which caused builds to fail: https://github.com/NixOS/nix/pull/11300

Priorities and Process

Add :+1: to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[edolstra]

Team discussion: This is a good idea so long as it's not done when the derivation has the uid-range feature. (In that case, the builder is root in its user namespace so it should be able to create /homeless-shelter.)

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2025-05-04-nix-team-meeting-minutes-230/65206/1