summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorAndreas Rammhold <andreas@rammhold.de>2018-08-01 19:10:45 +0200
committerGitHub <noreply@github.com>2018-08-01 19:10:45 +0200
commit17ee0a86622be62506fe5107f79a54817e98219e (patch)
tree0ca79af9f146651bace01a70c9973f6d00ba05f7 /nixos
parente94fcbcd01a7adc532d1081d3232e143efa422fe (diff)
parent4f6df27aee0a3f620d65280c7b6644d5cce094ae (diff)
downloadnixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.tar
nixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.tar.gz
nixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.tar.bz2
nixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.tar.lz
nixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.tar.xz
nixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.tar.zst
nixpkgs-17ee0a86622be62506fe5107f79a54817e98219e.zip
Merge pull request #44190 from andir/nixos/default-enable-sandboxing
nixos/nix-daemon: default `nix.useSandbox` to `true`.
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-1809.xml4
-rw-r--r--nixos/modules/services/misc/nix-daemon.nix10
2 files changed, 8 insertions, 6 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml
index f03b1eab619..b80f30f0111 100644
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@@ -370,7 +370,9 @@ inherit (pkgs.nixos {
       <varname>s6-dns</varname>, <varname>s6-networking</varname>,
       <varname>s6-linux-utils</varname> and <varname>s6-portable-utils</varname> respectively.
     </para>
-   </listitem>
+  </listitem>
+  <listitem>
+    <para>The module option <option>nix.useSandbox</option> is now defaulted to <literal>true</literal>.
   </itemizedlist>
  </section>
 </section>
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index e64df8dc7d2..5ca879bf266 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -127,16 +127,16 @@ in
 
       useSandbox = mkOption {
         type = types.either types.bool (types.enum ["relaxed"]);
-        default = false;
+        default = true;
         description = "
           If set, Nix will perform builds in a sandboxed environment that it
           will set up automatically for each build. This prevents impurities
           in builds by disallowing access to dependencies outside of the Nix
           store by using network and mount namespaces in a chroot environment.
-          This isn't enabled by default for possible performance impacts due to
-          the initial setup time of a sandbox for each build. It doesn't affect
-          derivation hashes, so changing this option will not trigger a rebuild
-          of packages.
+          This is enabled by default even though it has a possible performance
+          impact due to the initial setup time of a sandbox for each build. It
+          doesn't affect derivation hashes, so changing this option will not
+          trigger a rebuild of packages.
         ";
       };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-04 04:04:29 +0000