Merge pull request #44190 from andir/nixos/default-enable-sandboxing

nixos/nix-daemon: default `nix.useSandbox` to `true`.
2018-08-01 19:10:45 +02:00 · 2018-08-01 19:10:45 +02:00 · 17ee0a8662
parent e94fcbcd01 4f6df27aee
commit 17ee0a8662
2 changed files with 8 additions and 6 deletions
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@ -370,7 +370,9 @@ inherit (pkgs.nixos {
      <varname>s6-dns</varname>, <varname>s6-networking</varname>,
      <varname>s6-linux-utils</varname> and <varname>s6-portable-utils</varname> respectively.
    </para>
-   </listitem>
+  </listitem>
+  <listitem>
+    <para>The module option <option>nix.useSandbox</option> is now defaulted to <literal>true</literal>.
  </itemizedlist>
 </section>
 </section>
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -127,16 +127,16 @@ in

      useSandbox = mkOption {
        type = types.either types.bool (types.enum ["relaxed"]);
-        default = false;
+        default = true;
        description = "
          If set, Nix will perform builds in a sandboxed environment that it
          will set up automatically for each build. This prevents impurities
          in builds by disallowing access to dependencies outside of the Nix
          store by using network and mount namespaces in a chroot environment.
-          This isn't enabled by default for possible performance impacts due to
-          the initial setup time of a sandbox for each build. It doesn't affect
-          derivation hashes, so changing this option will not trigger a rebuild
-          of packages.
+          This is enabled by default even though it has a possible performance
+          impact due to the initial setup time of a sandbox for each build. It
+          doesn't affect derivation hashes, so changing this option will not
+          trigger a rebuild of packages.
        ";
      };