nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

nix-build Segmentation fault on MacOS Ventura (with sandbox enabled)

Open patryk4815 opened this issue 3 years ago • 4 comments

Describe the bug Hi. I don't know how to debug this, but it looks like sandbox cause this issue. When sandbox is disabled nix-build works :)

My current system: MacOS Ventura beta3 + Apple M1 Max

$ nix-build '<nixpkgs>' --check -A htop                                                                                                                                                                 
checking outputs of '/nix/store/smr4vf7rzn6rqxsvq2dvq1lg1wkmrrw0-htop-3.2.1.drv'...
error: builder for '/nix/store/smr4vf7rzn6rqxsvq2dvq1lg1wkmrrw0-htop-3.2.1.drv' failed due to signal 11 (Segmentation fault: 11)

Steps To Reproduce

nix-build '<nixpkgs>' --check -A htop

Expected behavior

Sandbox should work :)

nix-env --version output

$ nix-env --version                                                                                                                                                                                     at
nix-env (Nix) 2.10.3

patryk4815 avatar Jul 25 '22 00:07 patryk4815

There should, I think, be a crash report w/ more detail in console.app

abathur avatar Jul 25 '22 05:07 abathur

@abathur I see this in console.app:

Sandbox: bash(29711) deny(1) file-read-metadata /System/Cryptexes/OS
Sandbox: bash(29711) deny(1) file-read-metadata /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

https://threedots.ovh/blog/2022/06/a-quick-look-at-macos-rapid-security-response/

patryk4815 avatar Jul 25 '22 12:07 patryk4815

I added this patch and now sandbox works 🎉

diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb
index d9d710559..9099041c3 100644
--- a/src/libstore/sandbox-defaults.sb
+++ b/src/libstore/sandbox-defaults.sb
@@ -92,6 +92,8 @@
 (allow file-read-metadata
        (literal "/etc")
        (literal "/var")
+       (literal "/System/Cryptexes/OS")
+       (literal "/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e")
        (literal "/private/var/tmp"))

 ; This is used by /bin/sh on macOS 10.15 and later.

patryk4815 avatar Jul 25 '22 12:07 patryk4815

@patryk4815 I'm curious — do you not run into trouble with sandboxed builds on macOS in general? Last time we tried it, we routinely encountered derivations whose list of rules exceeded the limit of the native macOS sandbox implementation. This is captured in https://github.com/NixOS/nix/issues/2311 but I'm wondering if this has been addressed in Ventura.

dhess avatar Aug 03 '22 11:08 dhess

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-on-macos-ventura/22733/2

nixos-discourse avatar Oct 24 '22 19:10 nixos-discourse

I just updated my M1 to macOS 13.0 (22A380) and nix-build '<nixpkgs>' --check -A htop works just fine with the sandbox enabled.

lilyball avatar Oct 25 '22 02:10 lilyball

If I check the Console there are plenty of deny logs like

error	19:48:28.760302-0700	kernel	Sandbox: coreutils(35370) deny(1) file-read-metadata /System/Cryptexes/OS
error	19:48:28.760312-0700	kernel	Sandbox: coreutils(35370) deny(1) file-read-metadata /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

So we probably should go ahead and add that to the sandbox profile, but at least with Nix 2.11.0 it's not blocking the build.

lilyball avatar Oct 25 '22 02:10 lilyball

Since nix 2.11 it is working fine

patryk4815 avatar Dec 30 '22 01:12 patryk4815