local-derivation-goal.cc: improve error messages when sandboxing fails

The failure modes for nix's sandboxing setup are pretty complicated. When nix is unable to set up the sandbox, let's provide more detail about what went wrong. Specifically: * Make sure the error message includes the word "sandbox" so the user knows that the failure was related to sandboxing. * If `--option sandbox-fallback false` was provided, and removing it would have allowed further attempts to make progress, let the user know.
author: Adam Joseph <adam@westernsemico.com> 2022-07-16 14:39:22 -0700
committer: Adam Joseph <adam@westernsemico.com> 2022-07-16 14:56:24 -0700
commit: 8ea3a911aa81d41efdff231f4b42b11d8861a000 (patch)
tree: dc0432583e495d43a809620d4387cbed518f4979
parent: 59764eb842d0da4f6fcf4ce4b85bf02ac1ae26fc (diff)
1 files changed, 17 insertions, 7 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index d1ec91ed5..86a59e427 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -850,13 +850,23 @@ void LocalDerivationGoal::startBuilder()
                 flags &= ~CLONE_NEWUSER;
                 child = clone(childEntry, stack + stackSize, flags, this);
             }
-            /* Otherwise exit with EPERM so we can handle this in the
-               parent. This is only done when sandbox-fallback is set
-               to true (the default). */
-            if (child == -1 && (errno == EPERM || errno == EINVAL) && settings.sandboxFallback)
-                _exit(1);
-            if (child == -1) throw SysError("cloning builder process");
-
+            if (child == -1)
+                switch(errno) {
+                    case EPERM:
+                    case EINVAL: {
+                        /* Otherwise exit with EPERM so we can handle this in the
+                           parent. This is only done when sandbox-fallback is set
+                           to true (the default). */
+                        if (settings.sandboxFallback)
+                            _exit(1);
+                        /* Mention sandbox-fallback in the error message so the user
+                           knows that having it disabled contributed to the
+                           unrecoverability of this failure */
+                        throw SysError("creating sandboxed builder process using clone(), without sandbox-fallback");
+                    }
+                    default:
+                        throw SysError("creating sandboxed builder process using clone()");
+                }
             writeFull(builderOut.writeSide.get(),
                 fmt("%d %d\n", usingUserNamespace, child));
             _exit(0);
author	Adam Joseph <adam@westernsemico.com>	2022-07-16 14:39:22 -0700
committer	Adam Joseph <adam@westernsemico.com>	2022-07-16 14:56:24 -0700
commit	8ea3a911aa81d41efdff231f4b42b11d8861a000 (patch)
tree	dc0432583e495d43a809620d4387cbed518f4979
parent	59764eb842d0da4f6fcf4ce4b85bf02ac1ae26fc (diff)