[OS X] Derivation fails with sandbox

[eamsden]

Describe the bug

When running a sandboxed build on OS X, a derivation fails with sandbox-exec: pattern serialization length 71710 exceeds maximum (65535)

If you have a problem with a specific package or NixOS,
you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues.

Steps To Reproduce

Create a derivation with a sufficiently large number of inputs, and attempt to build it.

Expected behavior

The derivation builds

nix-env --version output
2.3.7

Additional context

I have done a bit of digging and it seems most likely that this is due to the fact that the OS X sandbox config is created by building a pattern mapping every path in the dependency closure of the derivation to a path in the sandbox individually:

nix/src/libstore/build.cc

Lines 3706 to 3729 in d761485

	/* Our inputs (transitive dependencies and any impurities computed above)
	without file-write* allowed, access() incorrectly returns EPERM
	*/
	sandboxProfile += "(allow file-read* file-write* process-exec\n";
	for (auto & i : dirsInChroot) {
	if (i.first != i.second.source)
	throw Error(
	"can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
	i.first, i.second.source);
	string path = i.first;
	struct stat st;
	if (lstat(path.c_str(), &st)) {
	if (i.second.optional && errno == ENOENT)
	continue;
	throw SysError("getting attributes of path '%s", path);
	}
	if (S_ISDIR(st.st_mode))
	sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
	else
	sandboxProfile += fmt("\t(literal \"%s\")\n", path);
	}
	sandboxProfile += ")\n";

[siraben]

For me the derivation that fails when I try to build with sandbox on macOS is my home-manager config.

Details

these derivations will be built:
  /nix/store/xfsgnyj7m6pmhjf1qzxawwvsd0nhppif-home-manager-path.drv
  /nix/store/r5s9k5m0apmlk6hn1bysb98pha3aikcm-activation-script.drv
  /nix/store/yclx6cws1qc2gyxn0j1pv70nr802ck69-home-manager-generation.drv
building '/nix/store/xfsgnyj7m6pmhjf1qzxawwvsd0nhppif-home-manager-path.drv'...
sandbox-exec: pattern serialization length 87092 exceeds maximum (65535)
builder for '/nix/store/xfsgnyj7m6pmhjf1qzxawwvsd0nhppif-home-manager-path.drv' failed with exit code 65
cannot build derivation '/nix/store/yclx6cws1qc2gyxn0j1pv70nr802ck69-home-manager-generation.drv': 1 dependencies couldn't be built
error: build of '/nix/store/yclx6cws1qc2gyxn0j1pv70nr802ck69-home-manager-generation.drv' failed

[bailey-busc]

Bumping because I just experienced this issue with Nix 2.4 (2.4pre20201201_5a6ddb3) when building a home-manager config via nix flakes.

error: --- Error ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
builder for '/nix/store/v75p8mffw7l7pg2pxdwqjfzx89rks8b2-home-manager-path.drv' failed with exit code 65; last 1 log lines:
  sandbox-exec: pattern serialization length 66460 exceeds maximum (65535)
error: --- Error ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
1 dependencies of derivation '/nix/store/8hpb5b7l19y2267dn11cbi4ilx67ribk-home-manager-generation.drv' failed to build
error: --- Error ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
1 dependencies of derivation '/nix/store/pjjh7a238hwjkvkvhmbmazrzk41jsyz5-user-environment.drv' failed to build
error: --- Error ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
1 dependencies of derivation '/nix/store/vskz1pxb41sv66irwx2689f39b8hnkld-activation-bbuscarino.drv' failed to build
error: --- Error ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
1 dependencies of derivation '/nix/store/ak7vwn1z37ymjv192iyl1v2fc5ibkwnx-darwin-system-21.03.20210209.74335e0+darwin4.dca3806.drv' failed to build

[hlolli]

hashtag me2

> nix run .#main-client-build
 warning: unknown setting 'allowUnfree'
warning: Git tree '/Users/hlodversigurdsson/Documents/testapp' is dirty
warning: unknown setting 'allowUnfree'
error: builder for '/nix/store/99swavz43gwjd27w7zx5a2q5gxbrmbxk-node-dependencies-_at_testapp_slash_main-client-1.0.0.drv' failed with exit code 65;
       last 1 log lines:
       > sandbox-exec: pattern serialization length 89274 exceeds maximum (65535)
       For full logs, run 'nix log /nix/store/99swavz43gwjd27w7zx5a2q5gxbrmbxk-node-dependencies-_at_testapp_slash_main-client-1.0.0.drv'.
error: 1 dependencies of derivation '/nix/store/mgi4b6a83rxqmzkv0603mia72fccwj1c-node-shell-_at_testapp_slash_main-client-1.0.0.drv' failed to build
> nix log /nix/store/99swavz43gwjd27w7zx5a2q5gxbrmbxk-node-dependencies-_at_testapp_slash_main-client-1.0.0.drv
warning: unknown setting 'allowUnfree'
sandbox-exec: pattern serialization length 89274 exceeds maximum (65535)
> nix --version
warning: unknown setting 'allowUnfree'
nix (Nix) 2.4pre20210503_6d2553a

[hlolli]

So it seems the generated sandbox profile has an s-expression exceeding the limit

when running with nix --debug

executing builder '/nix/store/ldfws5lqyz0irmb3bcvnjawyhsva38xq-bash-4.4-p23/bin/bash'
sandbox setup: Generated sandbox profile:
sandbox setup: (version 1)
sandbox setup: (deny default (with no-log))
sandbox setup: (import "sandbox-defaults.sb")
sandbox setup: (allow file-read* file-write* process-exec
sandbox setup:      (subpath "/nix/store/8xywf3whgq08045glmv99v2bgxmhvh00-node-dependencies-_at_testapp_slash_main-client-1.0.0")
sandbox setup: )
sandbox setup: (allow file-read* file-write* process-exec
sandbox setup:        (subpath "/System/Library/Frameworks")
sandbox setup:  (subpath "/System/Library/PrivateFrameworks")
sandbox setup:   (literal "/bin/bash")
sandbox setup:   (literal "/bin/sh")
sandbox setup:     (literal "/dev/random")
sandbox setup:         (literal "/dev/urandom")
sandbox setup:        (literal "/dev/zero")
sandbox setup:   (literal "/nix/store/006jl3mw0xiqwrfnmm0dn6zxkpaqkdar-http2-wrapper-1.0.3.tgz")
sandbox setup:         (literal "/nix/store/011f5148hdsm6yznj4rl30j4jhzlhrb6-is-buffer-1.1.6.tgz")
sandbox setup:     (literal "/nix/store/026dnivlzqrsdrf8pkc47hh5f3arm9kk-final-form-4.20.2.tgz")
....

I'm assuming splitting these statements into smaller blocks will fix this.

[domenkozar]

@toonn something to put on the list for https://opencollective.com/nix-macos

[domenkozar]

@toonn I went through Nix issues concerning macOS sandboxing and this is the only one left reported to fix.

It needs research when the limit kicks in and what's the workaround (maybe we have to use import and split the expression if it becomes too long).

[hlolli]

@toonn I went through Nix issues concerning macOS sandboxing and this is the only one left reported to fix.

It needs research when the limit kicks in and what's the workaround (maybe we have to use import and split the expression if it becomes too long).

I'd not be surprised that the limit is 65535, but that's hard to determine from counting the packages, because I think there's one sandbox item entry for every nix store path. I did read a bit about the sandbox specification from osx developer manual, and started attempting to write a fix by batching these in multiple files (which is totally possible, importing .sb files). But my lack of c++ knowledge, and especially modern c++ as is in the nix repo, got the better of me.

sandbox-exec: pattern serialization length 89274 exceeds maximum (65535)

[stale]

I marked this as stale due to inactivity. → More info