From 35c1c170d7dc49bf3f878a2170be487c5d27c8b1 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 27 Aug 2019 21:17:20 +0200
Subject: nix.conf: Set sandbox-fallback = false

For security, we don't want the sandbox to be disabled silently.
---
 nixos/modules/services/misc/nix-daemon.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 6bc88c66dc19..088dfd71860b 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -8,7 +8,9 @@ let
 
   nix = cfg.package.out;
 
-  isNix20 = versionAtLeast (getVersion nix) "2.0pre";
+  nixVersion = getVersion nix;
+
+  isNix20 = versionAtLeast nixVersion "2.0pre";
 
   makeNixBuildUser = nr:
     { name = "nixbld${toString nr}";
@@ -61,6 +63,9 @@ let
           builders =
         ''}
         system-features = ${toString cfg.systemFeatures}
+        ${optionalString (versionAtLeast nixVersion "2.3pre") ''
+          sandbox-fallback = false
+        ''}
         $extraOptions
         END
       '' + optionalString cfg.checkConfig (
-- 
cgit 1.4.1