Kernel build is not sandboxed

[immae]

Issue description

The kernel module build seems not to be correctly sandboxed:

trace.txt

The use_blk_mq and mobile_lpm_policy modules that modinfo complains about are modules from my (building, but not nixos) local machine and not modules from the remote one, so there seems to be impureness happening when building modules. It’s reproduced with linuxPackages_latest and linuxPackages_hardened, both with sandbox = true and sandbox = relaxed. I’m not in a position to correctly test linuxPackages (I see no reason for it to be different though)

Steps to reproduce

Set boot.kernelPackages = pkgs.linuxPackages_latest in a nixops build, and try to build.

Technical details

• system: "x86_64-linux"
• host os: Linux 4.20.13-arch1-1-ARCH, Arch Linux, noversion
• multi-user?: yes
• sandbox: relaxed
• version: nix-env (Nix) 2.2.1
• channels(root): "nixpkgs-18.09.1834.9d608a6f592"
• channels(immae): ""
• nixpkgs: /nix/store/0ncif1fzmmcsx5f6h7c1ah9pzd8pgc10-nixexprs.tar.xz

(the nixpkgs version used to build the derivation was https://releases.nixos.org/nixos/19.03/nixos-19.03.172361.cf3e277dd0b/nixexprs.tar.xz )

cc @nh2

[immae]

Note: it seems to be harmless anyway, at least in my case, as everything boots correctly

[stale]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[xaverdh]

Is this still happening on recent nixpkgs ? (there were some major changes to pkgs/build-support/kernel/modules-closure.sh in the meantime)

Also I assume that these modules (and their options) were referenced on the kernel command line (i.e. /proc/cmdline) in your case? modprobe parses that, so that's probably the source of the impurity.

[immae]

@xaverdh : the server that has the terms in /proc/cmdline is now gone (but I can confirm that it had ahci.mobile_lpm_policy=0 dm_mod.use_blk_mq=0 scsi_mod.use_blk_mq=0 in it). All my remaining machines now have a "standard" content there so I’m now unable to reproduce this...

If you believe that the recent change fixed that feel free to close the issue!

[xaverdh]

My attempt at fixing this is here

[stale]

I marked this as stale due to inactivity. → More info