Add support for sandboxing on FreeBSD

New FreeBSD sandboxes are based on jails and chroots.
They provide fairly similar capabilities to sandboxes on
Linux and allow for pure builds of FreeBSD nixpkgs.
Although it would also be possble to use jails for Linux
emulation, that is not supported with this commit.

Change-Id: I619e1e34c56de7aaa64a38408210a410bb13adba
Change-Id: I071e6ae7e220884690b788d94f480866f428db71

Co-Authored-By: Artemis Tosini <me@artem.ist>
Co-Authored-By: K900 <me@0upti.me>
Co-Authored-By: John Ericson <John.Ericson@Obsidian.Systems>
Co-authored-by: Sergei Zimmerman <sergei@zimmerman.foo>

Author: 5 people

src/libstore/meson.build

@@ -151,6 +151,12 @@ endif
 configdata_priv.set('HAVE_SECCOMP', seccomp.found().to_int())
 deps_private += seccomp
 
+if host_machine.system() == 'freebsd'
+  # libjail is not in freebsd.libc, but there's no discovery mechanism
+  libjail = declare_dependency(link_args : [ '-ljail' ])
+  deps_other += libjail
+endif
+
 nlohmann_json = dependency('nlohmann_json', version : '>= 3.9')
 deps_public += nlohmann_json
 

src/libstore/package.nix

@@ -5,6 +5,7 @@
 
   unixtools,
   darwin,
+  freebsd,
 
   nix-util,
   boost,
@@ -65,6 +66,7 @@ mkMesonLibrary (finalAttrs: {
     sqlite
   ]
   ++ lib.optional stdenv.hostPlatform.isLinux libseccomp
+  ++ lib.optional stdenv.hostPlatform.isFreeBSD freebsd.libjail
   ++ lib.optional withAWS aws-crt-cpp;
 
   propagatedBuildInputs = [

src/libstore/unix/build/chroot-derivation-builder.cc

@@ -1,4 +1,4 @@
-#ifdef __linux__
+#if defined(__linux__) || defined(__FreeBSD__)
 
 namespace nix {
 
@@ -52,13 +52,16 @@ struct ChrootDerivationBuilder : virtual DerivationBuilderImpl
         return buildUser->getGID();
     }
 
+    virtual void extraChrootParentDirCleanup(const std::filesystem::path & chrootParentDir) {}
+
     void prepareSandbox() override
     {
         /* Create a temporary directory in which we set up the chroot
            environment using bind-mounts.  We put it in the Nix store
            so that the build outputs can be moved efficiently from the
            chroot to their final location. */
         std::filesystem::path chrootParentDir = store.toRealPath(drvPath) + ".chroot";
+        extraChrootParentDirCleanup(chrootParentDir);
         deletePath(chrootParentDir);
 
         /* Clean up the chroot directory automatically. */

src/libstore/unix/build/derivation-builder.cc

@@ -1273,13 +1273,22 @@ void DerivationBuilderImpl::runChild(RunChildArgs args)
             }
         }
 
+#if defined(__FreeBSD__)
+        /* Close all other file descriptors. This must happen before
+         * enterChroot for FreeBSD. */
+        unix::closeExtraFDs();
+#endif
+
         enterChroot();
 
         if (chdir(tmpDirInSandbox().c_str()) == -1)
             throw SysError("changing into %1%", tmpDir);
 
-        /* Close all other file descriptors. */
+#if !defined(__FreeBSD__)
+        /* Close all other file descriptors. This must happen after
+         * enterChroot for Linux. */
         unix::closeExtraFDs();
+#endif
 
         /* Disable core dumps by default. */
         struct rlimit limit = {0, RLIM_INFINITY};
@@ -1964,6 +1973,7 @@ StorePath DerivationBuilderImpl::makeFallbackPath(const StorePath & path)
 // FIXME: do this properly
 #include "chroot-derivation-builder.cc"
 #include "linux-derivation-builder.cc"
+#include "freebsd-derivation-builder.cc"
 #include "darwin-derivation-builder.cc"
 #include "external-derivation-builder.cc"
 
@@ -2026,6 +2036,11 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
         return std::make_unique<ChrootLinuxDerivationBuilder>(store, std::move(miscMethods), std::move(params));
 
     return std::make_unique<LinuxDerivationBuilder>(store, std::move(miscMethods), std::move(params));
+#elif defined(__FreeBSD__)
+    if (useSandbox)
+        return std::make_unique<ChrootFreeBSDDerivationBuilder>(store, std::move(miscMethods), std::move(params));
+
+    return std::make_unique<FreeBSDDerivationBuilder>(store, std::move(miscMethods), std::move(params));
 #else
     if (useSandbox)
         throw Error("sandboxing builds is not supported on this platform");