Skip to content

patchShebangs fails for paths located in /nix/store on sandboxed Darwin #343576

Closed
Closed
patchShebangs fails for paths located in /nix/store on sandboxed Darwin#343576
Labels
0.kind: bugSomething is broken6.topic: darwinRunning or building packages on Darwin
@al3xtjames

Description

@al3xtjames
al3xtjames
opened on Sep 21, 2024

Describe the bug

Say that we have a script located in /nix/store, such as /nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello. Running patchShebangs against the script will invoke sed to patch the interpreter paths. sed -i will create a temporary file under the same parent directory as the input file; in this case, this is in /nix/store. sed fails with a permission error if the sandbox is enabled on Darwin:

patching script interpreter paths in /nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello
/nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello: interpreter directive changed from "#!/usr/bin/env bash" to "/nix/store/ym80z3f4nq5p8sp5vfch39x55x2rfwpz-bash-5.2p32/bin/bash"
sed: couldn't open temporary file /nix/store/sedOYQ2Wi: Operation not permitted

I believe this is due to the sandbox profile not allowing the creation of files under /nix/store. Running nix build with --debug dumps the sandbox profile: https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b#file-sandbox-log

I'm not sure if this should be treated a Nix/Lix bug and fixed by updating the sandbox profile or if it should be fixed in nixpkgs. patchShebangs could be updated to pass a temporary file to sed -i, which would avoid creating temporary files in /nix/store.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Observe the build fail with nix build 'git+https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b' --no-write-lock-file --debug --option sandbox true
  2. Observe the build succeed with nix build 'git+https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b' --no-write-lock-file --debug --option sandbox false

Expected behavior

The build should succeed with the sandbox enabled.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

I ran into this while rebuilding neovim, specifically while building neovim-ruby-env. gen-stubs-script uses a similar pattern with patchShebangs, which fails with the same permission error:

nixpkgs/pkgs/development/ruby-modules/bundled-common/functions.nix

Lines 64 to 73 in 757af60

genStubsScript = runCommand "gen-bin-stubs"
{
strictDeps = true;
nativeBuildInputs = [ ruby ];
}
''
cp ${./gen-bin-stubs.rb} $out
chmod +x $out
patchShebangs --build $out
'';

Notify maintainers

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
fetching github input 'github:NixOS/nixpkgs/nixpkgs-unstable'
 - system: `"x86_64-darwin"`
 - host os: `Darwin 23.6.0, macOS 10.16`
 - multi-user?: `yes`
 - sandbox: `relaxed`
 - version: `nix-env (Lix, like Nix) 2.91.0
System type: x86_64-darwin
Additional system types:
Features: gc, signed-caches
System configuration file: /etc/nix/nix.conf
User configuration files: /Users/alex/.config/nix/nix.conf:/Users/alex/.nix-profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/alex/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix
Data directory: /nix/store/qxhix72k2armql0w8ypm6yb9k2nv3cjp-lix-2.91.0/share`
 - nixpkgs: `/nix/store/x76i82ichcxssszb5i0ppzlmffms9iyk-source`

Add a 👍 reaction to issues you find important.

Metadata

Metadata

Assignees

No one assigned

    Labels

    0.kind: bugSomething is broken6.topic: darwinRunning or building packages on Darwin

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions