7 files changed, 38 insertions, 12 deletions
diff --git a/Makefile.config.in b/Makefile.config.in
index 3cae30d48..45a70cd6d 100644
--- a/Makefile.config.in
+++ b/Makefile.config.in
@@ -28,6 +28,7 @@ localstatedir = @localstatedir@
 mandir = @mandir@
 pkglibdir = $(libdir)/$(PACKAGE_NAME)
 prefix = @prefix@
+sandbox_shell = @sandbox_shell@
 storedir = @storedir@
 sysconfdir = @sysconfdir@
 doc_generate = @doc_generate@
diff --git a/configure.ac b/configure.ac
index c7026cf95..24a95ce56 100644
--- a/configure.ac
+++ b/configure.ac
@@ -240,6 +240,12 @@ fi
 AC_SUBST(tarFlags)
 
 
+AC_ARG_WITH(sandbox-shell, AC_HELP_STRING([--with-sandbox-shell=PATH],
+  [path of a statically-linked shell to use as /bin/sh in sandboxes]),
+  sandbox_shell=$withval)
+AC_SUBST(sandbox_shell)
+
+
 # Expand all variables in config.status.
 test "$prefix" = NONE && prefix=$ac_default_prefix
 test "$exec_prefix" = NONE && exec_prefix='${prefix}'
diff --git a/release-common.nix b/release-common.nix
new file mode 100644
index 000000000..8047c75bd
--- /dev/null
+++ b/release-common.nix
@@ -0,0 +1,21 @@
+{ pkgs }:
+
+rec {
+  sh = pkgs.busybox.override {
+    useMusl = true;
+    enableStatic = true;
+    enableMinimal = true;
+    extraConfig = ''
+      CONFIG_ASH y
+      CONFIG_ASH_BUILTIN_ECHO y
+      CONFIG_ASH_BUILTIN_TEST y
+      CONFIG_ASH_OPTIMIZE_FOR_SIZE y
+    '';
+  };
+
+  configureFlags =
+    [ "--disable-init-state"
+      "--enable-gc"
+      "--with-sandbox-shell=${sh}/bin/busybox"
+    ];
+}
diff --git a/release.nix b/release.nix
index 54d20c868..f1a553d01 100644
--- a/release.nix
+++ b/release.nix
@@ -66,6 +66,8 @@ let
 
       with import <nixpkgs> { inherit system; };
 
+      with import ./release-common.nix { inherit pkgs; };
+
       releaseTools.nixBuild {
         name = "nix";
         src = tarball;
@@ -83,11 +85,8 @@ let
               customMemoryManagement = false;
             });
 
-        configureFlags = ''
-          --disable-init-state
-          --enable-gc
-          --sysconfdir=/etc
-        '';
+        configureFlags = configureFlags ++
+          [ "--sysconfdir=/etc" ];
 
         enableParallelBuilding = true;
 
diff --git a/shell.nix b/shell.nix
index 8645d3602..c4e2a20f8 100644
--- a/shell.nix
+++ b/shell.nix
@@ -2,6 +2,8 @@
 
 with import <nixpkgs> {};
 
+with import ./release-common.nix { inherit pkgs; };
+
 (if useClang then clangStdenv else stdenv).mkDerivation {
   name = "nix";
 
@@ -22,10 +24,7 @@ with import <nixpkgs> {};
       perlPackages.DBDSQLite
     ];
 
-  configureFlags =
-    [ "--disable-init-state"
-      "--enable-gc"
-    ];
+  inherit configureFlags;
 
   enableParallelBuilding = true;
 
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 4bdbde989..3dd2508a2 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -47,8 +47,8 @@ Settings::Settings()
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
     if (s != "") builderFiles = tokenizeString<Strings>(s, ":");
 
-#if __linux__
-    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH);
+#if defined(__linux__) && defined(SANDBOX_SHELL)
+    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
 #endif
 
     allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
diff --git a/src/libstore/local.mk b/src/libstore/local.mk
index 4da20330c..e06002587 100644
--- a/src/libstore/local.mk
+++ b/src/libstore/local.mk
@@ -27,7 +27,7 @@ libstore_CXXFLAGS = \
  -DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \
  -DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \
  -DNIX_BIN_DIR=\"$(bindir)\" \
- -DBASH_PATH="\"$(bash)\"" \
+ -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
  -DLSOF=\"$(lsof)\"
 
 $(d)/local-store.cc: $(d)/schema.sql.hh