libstore/build: always enable seccomp filtering and no-new-privileges

Seccomp filtering and the no-new-privileges functionality improve the security
of the sandbox, and have been enabled by default for a long time. In
lix-project/lix#265 it was decided that they
should be enabled unconditionally. Accordingly, remove the allow-new-privileges
(which had weird behavior anyway) and filter-syscall settings, and force the
security features on. This turns libseccomp into a required dependency on
Linux.

Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb

doc/manual/rclone.conf

@@ -0,0 +1,8 @@
+[lix-docs]
+type = s3
+provider = Other
+env_auth = true
+endpoint = https://s3.lix.systems
+location_constraint = garage
+region = garage
+acl = private

doc/manual/redirects.js

@@ -24,7 +24,6 @@ const redirects = {
     "chap-writing-nix-expressions": "language/index.html",
     "part-command-ref": "command-ref/command-ref.html",
     "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
-    "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
     "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
     "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
     "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",

doc/manual/rl-next/linux-sandbox-consistency.md

@@ -0,0 +1,8 @@
+---
+synopsis: Enforce syscall filtering and no-new-privileges on Linux
+cls: 1063
+---
+
+In order to improve consistency of the build environment, system call filtering and no-new-privileges are now unconditionally enabled on Linux.
+The `filter-syscalls` and `allow-new-privileges` options which could be used to disable these features under some circumstances have been removed.
+Furthermore, libseccomp is now a required dependency on Linux, and syscall filtering cannot be disabled at build time any more either.

doc/manual/rl-next/repl-interrupt.md

@@ -0,0 +1,8 @@
+---
+synopsis: Interrupting builds in the REPL works more than once
+cls: 1097
+---
+
+Builds in the REPL can be interrupted by pressing Ctrl+C.
+Previously, this only worked once per REPL session; further attempts would be ignored.
+This issue is now fixed, so that builds can be canceled consistently.

doc/manual/src/installation/prerequisites-source.md

@@ -68,10 +68,7 @@ The most current alternative to this section is to read `package.nix` and see wh
     may also work, but ancient versions like the ubiquitous 2.5.4a
     won't.
 
-  - The `libseccomp` is used to provide syscall filtering on Linux. This
-    is an optional dependency and can be disabled passing a
-    `--disable-seccomp-sandboxing` option to the `configure` script (Not
-    recommended unless your system doesn't support `libseccomp`). To get
+  - The `libseccomp` is used to provide syscall filtering on Linux. To get
     the library, visit <https://github.com/seccomp/libseccomp>.
 
   - On 64-bit x86 machines only, `libcpuid` library

maintainers/upload_manual.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(dirname -- "$0")/.."
+
+# This script uploads the Lix manual to the Lix s3 store.
+# It expects credentials to be configured like so:
+#
+# ~/.aws/credentials:
+#
+# [default]
+# aws_access_key_id = SOMEACCESSKEY
+# aws_secret_access_key = SOMESECRETKEY
+#
+# default can also be replaced by some other string if AWS_PROFILE is set in
+# environment.
+#
+# See: https://rclone.org/s3/#authentication
+#
+# To obtain such a key, log into the garage host and run:
+# (obtain GARAGE_RPC_SECRET into environment perhaps by systemctl cat garage)
+# garage key create SOME-KEY-NAME
+# garage bucket allow --read --write docs --key SOME-KEY-NAME
+
+if [[ ! -f result-doc/share/doc/nix/manual/index.html ]]; then
+    echo -e "result-doc does not appear to contain a Lix manual. You can build one with:\n  nix build '.#default^*'" >&2
+    exit 1
+fi
+
+# --checksum: https://rclone.org/s3/#avoiding-head-requests-to-read-the-modification-time
+# By default rclone uses the modification time to determine if something needs
+# syncing. This is actually very bad for our use case, since we have small
+# files that have meaningless (Unix epoch) local modification time data. We can
+# make it go both 16x faster and more correct by using md5s instead.
+rclone \
+    --config doc/manual/rclone.conf \
+    -vv \
+    sync \
+    --checksum \
+    result-doc/share/doc/nix/manual/ lix-docs:docs/manual/nightly/

meson.build

@@ -180,11 +180,7 @@ configdata += {
 deps += cpuid
 
 # seccomp only makes sense on Linux
-seccomp_required = is_linux ? get_option('seccomp-sandboxing') : false
-seccomp = dependency('libseccomp', 'seccomp', required : seccomp_required, version : '>=2.5.5')
-configdata += {
-  'HAVE_SECCOMP': seccomp.found().to_int(),
-}
+seccomp = dependency('libseccomp', 'seccomp', required : is_linux, version : '>=2.5.5')
 
 libarchive = dependency('libarchive', required : true)
 deps += libarchive

meson.options

@@ -16,10 +16,6 @@ option('cpuid', type : 'feature',
   description : 'determine microarchitecture levels with libcpuid (only relevant on x86_64)',
 )
 
-option('seccomp-sandboxing', type : 'feature',
-  description : 'build support for seccomp sandboxing (recommended unless your arch doesn\'t support libseccomp, only relevant on Linux)',
-)
-
 option('sandbox-shell', type : 'string', value : 'busybox',
   description : 'path to a statically-linked shell to use as /bin/sh in sandboxes (usually busybox)',
 )

src/libcmd/repl.cc

@@ -262,6 +262,8 @@ ReplExitStatus NixRepl::mainLoop()
     std::string input;
 
     while (true) {
+        _isInterrupted = false;
+
         // When continuing input from previous lines, don't print a prompt, just align to the same
         // number of chars as the prompt.
         if (!interacter->getLine(input, input.empty() ? ReplPromptType::ReplPrompt : ReplPromptType::ContinuationPrompt)) {
@@ -424,8 +426,6 @@ ProcessLineResult NixRepl::processLine(std::string line)
     if (line.empty())
         return ProcessLineResult::PromptAgain;
 
-    _isInterrupted = false;
-
     std::string command, arg;
 
     if (line[0] == ':') {

src/libmain/shared.cc

@@ -320,16 +320,7 @@ int handleExceptions(const std::string & programName, std::function<void()> fun)
 
     std::string error = ANSI_RED "error:" ANSI_NORMAL " ";
     try {
-        try {
-            fun();
-        } catch (...) {
-            /* Subtle: we have to make sure that any `interrupted'
-               condition is discharged before we reach printMsg()
-               below, since otherwise it will throw an (uncaught)
-               exception. */
-            setInterruptThrown();
-            throw;
-        }
+        fun();
     } catch (Exit & e) {
         return e.status;
     } catch (UsageError & e) {

src/libstore/build/derivation-goal.cc

@@ -45,9 +45,6 @@
 #include <sys/param.h>
 #include <sys/mount.h>
 #include <sys/syscall.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
 #endif
 

src/libstore/build/local-derivation-goal.cc

@@ -43,9 +43,7 @@
 #include <sys/mount.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
-#if HAVE_SECCOMP
 #include <seccomp.h>
-#endif
 #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
 #endif
 
@@ -1618,8 +1616,6 @@ void LocalDerivationGoal::chownToBuilder(const Path & path)
 void setupSeccomp()
 {
 #if __linux__
-    if (!settings.filterSyscalls) return;
-#if HAVE_SECCOMP
     scmp_filter_ctx ctx;
 
     if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))
@@ -1684,16 +1680,14 @@ void setupSeccomp()
         seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
         throw SysError("unable to add seccomp rule");
 
-    if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0)
+    // Set the NO_NEW_PRIVS prctl flag.
+    // This both makes loading seccomp filters work for unprivileged users,
+    // and is an additional security measure in its own right.
+    if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1) != 0)
         throw SysError("unable to set 'no new privileges' seccomp attribute");
 
     if (seccomp_load(ctx) != 0)
         throw SysError("unable to load seccomp BPF program");
-#else
-    throw Error(
-        "seccomp is not supported on this platform; "
-        "you can bypass this error by setting the option 'filter-syscalls' to false, but note that untrusted builds can then create setuid binaries!");
-#endif
 #endif
 }
 
@@ -1960,10 +1954,6 @@ void LocalDerivationGoal::runChild()
                 throw SysError("setuid failed");
 
             setUser = false;
-
-            // Make sure we can't possibly gain new privileges in the sandbox
-            if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
-                throw SysError("PR_SET_NO_NEW_PRIVS failed");
         }
 #endif
 

src/libstore/globals.hh

@@ -903,29 +903,6 @@ public:
         )"};
 
 #if __linux__
-    Setting<bool> filterSyscalls{
-        this, true, "filter-syscalls",
-        R"(
-          Whether to prevent certain dangerous system calls, such as
-          creation of setuid/setgid files or adding ACLs or extended
-          attributes. Only disable this if you're aware of the
-          security implications.
-        )"};
-
-    Setting<bool> allowNewPrivileges{
-        this, false, "allow-new-privileges",
-        R"(
-          (Linux-specific.) By default, builders on Linux cannot acquire new
-          privileges by calling setuid/setgid programs or programs that have
-          file capabilities. For example, programs such as `sudo` or `ping`
-          will fail. (Note that in sandbox builds, no such programs are
-          available unless you bind-mount them into the sandbox via the
-          `sandbox-paths` option.) You can allow the use of such programs by
-          enabling this option. This is impure and usually undesirable, but
-          may be useful in certain scenarios (e.g. to spin up containers or
-          set up userspace network interfaces in tests).
-        )"};
-
     Setting<StringSet> ignoredAcls{
         this, {"security.selinux", "system.nfs4_acl", "security.csm"}, "ignored-acls",
         R"(

src/libstore/linux/fchmodat2-compat.hh

@@ -20,18 +20,16 @@
 #pragma once
 ///@file
 
-#if HAVE_SECCOMP
-#  if defined(__alpha__)
-#    define NIX_SYSCALL_FCHMODAT2 562
-#  elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32
-#    define NIX_SYSCALL_FCHMODAT2 1073742276
-#  elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64
-#    define NIX_SYSCALL_FCHMODAT2 5452
-#  elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32
-#    define NIX_SYSCALL_FCHMODAT2 6452
-#  elif defined(__mips__) && defined(_ABIO32) // mips32
-#    define NIX_SYSCALL_FCHMODAT2 4452
-#  else
-#    define NIX_SYSCALL_FCHMODAT2 452
-#  endif
-#endif // HAVE_SECCOMP
+#if defined(__alpha__)
+#  define NIX_SYSCALL_FCHMODAT2 562
+#elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32
+#  define NIX_SYSCALL_FCHMODAT2 1073742276
+#elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64
+#  define NIX_SYSCALL_FCHMODAT2 5452
+#elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32
+#  define NIX_SYSCALL_FCHMODAT2 6452
+#elif defined(__mips__) && defined(_ABIO32) // mips32
+#  define NIX_SYSCALL_FCHMODAT2 4452
+#else
+#  define NIX_SYSCALL_FCHMODAT2 452
+#endif

src/libstore/meson.build

@@ -210,7 +210,6 @@ libstore = library(
     seccomp,
     sqlite,
     sodium,
-    seccomp,
     curl,
     openssl,
     aws_sdk,

src/libutil/signals.cc

@@ -9,21 +9,14 @@ namespace nix {
 
 std::atomic<bool> _isInterrupted = false;
 
-static thread_local bool interruptThrown = false;
 thread_local std::function<bool()> interruptCheck;
 
-void setInterruptThrown()
-{
-    interruptThrown = true;
-}
-
 void _interrupted()
 {
     /* Block user interrupts while an exception is being handled.
        Throwing an exception while another exception is being handled
        kills the program! */
-    if (!interruptThrown && !std::uncaught_exceptions()) {
-        interruptThrown = true;
+    if (!std::uncaught_exceptions()) {
         throw Interrupted("interrupted by the user");
     }
 }

src/libutil/signals.hh

@@ -22,8 +22,6 @@ extern std::atomic<bool> _isInterrupted;
 
 extern thread_local std::function<bool()> interruptCheck;
 
-void setInterruptThrown();
-
 void _interrupted();
 
 void inline checkInterrupt()

tests/functional/common/vars-and-functions.sh.in

@@ -54,8 +54,6 @@ export busybox="@sandbox_shell@"
 export version=@PACKAGE_VERSION@
 export system=@system@
 
-export BUILD_SHARED_LIBS=@BUILD_SHARED_LIBS@
-
 export IMPURE_VAR1=foo
 export IMPURE_VAR2=bar
 

tests/functional/meson.build

@@ -7,7 +7,6 @@ test_confdata = {
   'sandbox_shell': busybox.found() ? busybox.full_path() : '',
   'PACKAGE_VERSION': meson.project_version(),
   'system': host_system,
-  'BUILD_SHARED_LIBS': '1', # XXX(Qyriad): detect this!
 }
 
 # Just configures `common/vars-and-functions.sh.in`.
@@ -180,11 +179,15 @@ functional_tests_scripts = [
   'read-only-store.sh',
   'nested-sandboxing.sh',
   'debugger.sh',
-  'plugins.sh',
   'test-libstoreconsumer.sh',
   'extra-sandbox-profile.sh',
 ]
 
+# Plugin tests require shared libraries support.
+if get_option('default_library') != 'static'
+  functional_tests_scripts += ['plugins.sh']
+endif
+
 # TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make
 # buildsystem. See the comments at the top of setup-functional-tests.py for why this is here.
 meson.add_install_script(

tests/functional/plugins.sh

@@ -1,9 +1,5 @@
 source common.sh
 
-if [[ $BUILD_SHARED_LIBS != 1 ]]; then
-    skipTest "Plugins are not supported"
-fi
-
 # FIXME(Qyriad): this is working around Meson putting `libplugintest.so.p` in the same place
 # as `libplugintest.so`, so `libplugintest.*` grabs both.
 libext=so

tests/nixos/default.nix

@@ -1,11 +1,16 @@
-{ lib, nixpkgs, nixpkgsFor }:
+{
+  lib,
+  nixpkgs,
+  nixpkgsFor,
+}:
 
 let
 
   nixos-lib = import (nixpkgs + "/nixos/lib") { };
 
   # https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
-  runNixOSTestFor = system: test:
+  runNixOSTestFor =
+    system: test:
     (nixos-lib.runTest {
       imports = [ test ];
       hostPkgs = nixpkgsFor.${system}.native;
@@ -20,21 +25,25 @@ let
       # allow running tests against older nix versions via `nix eval --apply`
       # Example:
       #   nix build "$(nix eval --raw --impure .#hydraJobs.tests.fetch-git --apply 't: (t.forNix "2.19.2").drvPath')^*"
-      forNix = nixVersion: runNixOSTestFor system {
-        imports = [test];
-        defaults.nixpkgs.overlays = [(curr: prev: {
-          nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix;
-        })];
-      };
+      forNix =
+        nixVersion:
+        runNixOSTestFor system {
+          imports = [ test ];
+          defaults.nixpkgs.overlays = [
+            (curr: prev: { nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix; })
+          ];
+        };
     };
 
   # Checks that a NixOS configuration does not contain any references to our
   # locally defined Nix version.
-  checkOverrideNixVersion = { pkgs, lib, ... }: {
-    # pkgs.nix: The new Nix in this repo
-    # We disallow it, to make sure we don't accidentally use it.
-    system.forbiddenDependenciesRegex = lib.strings.escapeRegex "nix-${pkgs.nix.version}";
-  };
+  checkOverrideNixVersion =
+    { pkgs, lib, ... }:
+    {
+      # pkgs.nix: The new Nix in this repo
+      # We disallow it, to make sure we don't accidentally use it.
+      system.forbiddenDependenciesRegex = lib.strings.escapeRegex "nix-${pkgs.nix.version}";
+    };
 in
 
 {
@@ -47,42 +56,59 @@ in
   remoteBuilds_remote_2_3 = runNixOSTestFor "x86_64-linux" {
     name = "remoteBuilds_remote_2_3";
     imports = [ ./remote-builds.nix ];
-    builders.config = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
-    };
+    builders.config =
+      { lib, pkgs, ... }:
+      {
+        imports = [ checkOverrideNixVersion ];
+        nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
+      };
   };
 
-  remoteBuilds_remote_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
-    name = "remoteBuilds_remote_2_13";
-    imports = [ ./remote-builds.nix ];
-    builders.config = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
-    };
-  });
+  remoteBuilds_remote_2_13 = runNixOSTestFor "x86_64-linux" (
+    { lib, pkgs, ... }:
+    {
+      name = "remoteBuilds_remote_2_13";
+      imports = [ ./remote-builds.nix ];
+      builders.config =
+        { lib, pkgs, ... }:
+        {
+          imports = [ checkOverrideNixVersion ];
+          nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
+        };
+    }
+  );
 
   # TODO: (nixpkgs update) remoteBuilds_remote_2_18 = ...
 
   # Test our Nix as a builder for clients that are older
 
-  remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
-    name = "remoteBuilds_local_2_3";
-    imports = [ ./remote-builds.nix ];
-    nodes.client = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
-    };
-  });
+  remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" (
+    { lib, pkgs, ... }:
+    {
+      name = "remoteBuilds_local_2_3";
+      imports = [ ./remote-builds.nix ];
+      nodes.client =
+        { lib, pkgs, ... }:
+        {
+          imports = [ checkOverrideNixVersion ];
+          nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
+        };
+    }
+  );
 
-  remoteBuilds_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
-    name = "remoteBuilds_local_2_13";
-    imports = [ ./remote-builds.nix ];
-    nodes.client = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
-    };
-  });
+  remoteBuilds_local_2_13 = runNixOSTestFor "x86_64-linux" (
+    { lib, pkgs, ... }:
+    {
+      name = "remoteBuilds_local_2_13";
+      imports = [ ./remote-builds.nix ];
+      nodes.client =
+        { lib, pkgs, ... }:
+        {
+          imports = [ checkOverrideNixVersion ];
+          nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
+        };
+    }
+  );
 
   # TODO: (nixpkgs update) remoteBuilds_local_2_18 = ...
 
@@ -95,19 +121,23 @@ in
   remoteBuildsSshNg_remote_2_3 = runNixOSTestFor "x86_64-linux" {
     name = "remoteBuildsSshNg_remote_2_3";
     imports = [ ./remote-builds-ssh-ng.nix ];
-    builders.config = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
-    };
+    builders.config =
+      { lib, pkgs, ... }:
+      {
+        imports = [ checkOverrideNixVersion ];
+        nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
+      };
   };
 
   remoteBuildsSshNg_remote_2_13 = runNixOSTestFor "x86_64-linux" {
     name = "remoteBuildsSshNg_remote_2_13";
     imports = [ ./remote-builds-ssh-ng.nix ];
-    builders.config = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
-    };
+    builders.config =
+      { lib, pkgs, ... }:
+      {
+        imports = [ checkOverrideNixVersion ];
+        nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
+      };
   };
 
   # TODO: (nixpkgs update) remoteBuildsSshNg_remote_2_18 = ...
@@ -116,25 +146,25 @@ in
 
   # FIXME: these tests don't work yet
   /*
-  remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
-    name = "remoteBuildsSshNg_local_2_3";
-    imports = [ ./remote-builds-ssh-ng.nix ];
-    nodes.client = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
-    };
-  });
+    remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
+      name = "remoteBuildsSshNg_local_2_3";
+      imports = [ ./remote-builds-ssh-ng.nix ];
+      nodes.client = { lib, pkgs, ... }: {
+        imports = [ checkOverrideNixVersion ];
+        nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
+      };
+    });
 
-  remoteBuildsSshNg_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
-    name = "remoteBuildsSshNg_local_2_13";
-    imports = [ ./remote-builds-ssh-ng.nix ];
-    nodes.client = { lib, pkgs, ... }: {
-      imports = [ checkOverrideNixVersion ];
-      nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
-    };
-  });
+    remoteBuildsSshNg_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
+      name = "remoteBuildsSshNg_local_2_13";
+      imports = [ ./remote-builds-ssh-ng.nix ];
+      nodes.client = { lib, pkgs, ... }: {
+        imports = [ checkOverrideNixVersion ];
+        nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
+      };
+    });
 
-  # TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
+    # TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
   */
 
   nix-copy-closure = runNixOSTestFor "x86_64-linux" ./nix-copy-closure.nix;
@@ -153,9 +183,10 @@ in
 
   containers = runNixOSTestFor "x86_64-linux" ./containers/containers.nix;
 
-  setuid = lib.genAttrs
-    ["i686-linux" "x86_64-linux"]
-    (system: runNixOSTestFor system ./setuid/setuid.nix);
+  setuid = lib.genAttrs [
+    "i686-linux"
+    "x86_64-linux"
+  ] (system: runNixOSTestFor system ./setuid/setuid.nix);
 
   ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
 
@@ -163,7 +194,9 @@ in
 
   symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
 
-  rootInSandbox = runNixOSTestFor "x86_64-linux" ./root-in-sandbox;
+  noNewPrivilegesInSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/sandbox.nix;
+
+  noNewPrivilegesOutsideSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/no-sandbox.nix;
 
   broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
 }

tests/nixos/no-new-privileges/no-sandbox.nix

@@ -0,0 +1,21 @@
+let
+  inherit (import ../util.nix) mkNixBuildTest;
+in
+mkNixBuildTest {
+  name = "no-new-privileges-outside-sandbox";
+  extraMachineConfig =
+    { pkgs, ... }:
+    {
+      security.wrappers.ohno = {
+        owner = "root";
+        group = "root";
+        capabilities = "cap_sys_nice=eip";
+        source = "${pkgs.libcap}/bin/getpcaps";
+      };
+      nix.settings = {
+        extra-sandbox-paths = [ "/run/wrappers/bin/ohno" ];
+        sandbox = false;
+      };
+    };
+  expressionFile = ./package.nix;
+}

tests/nixos/no-new-privileges/package.nix

@@ -0,0 +1,8 @@
+{ runCommand, libcap }:
+runCommand "cant-get-capabilities" { nativeBuildInputs = [ libcap.out ]; } ''
+  if /run/wrappers/bin/ohno; then
+    echo "Oh no! We gained capabilities!"
+    exit 1
+  fi
+  touch $out
+''

tests/nixos/no-new-privileges/sandbox.nix

@@ -0,0 +1,18 @@
+let
+  inherit (import ../util.nix) mkNixBuildTest;
+in
+mkNixBuildTest {
+  name = "no-new-privileges-in-sandbox";
+  extraMachineConfig =
+    { pkgs, ... }:
+    {
+      security.wrappers.ohno = {
+        owner = "root";
+        group = "root";
+        capabilities = "cap_sys_nice=eip";
+        source = "${pkgs.libcap}/bin/getpcaps";
+      };
+      nix.settings.extra-sandbox-paths = [ "/run/wrappers/bin/ohno" ];
+    };
+  expressionFile = ./package.nix;
+}

tests/nixos/root-in-sandbox/default.nix

@@ -1,15 +0,0 @@
-let
-  inherit (import ../util.nix) mkNixBuildTest;
-in mkNixBuildTest {
-  name = "root-in-sandbox";
-  extraMachineConfig = { pkgs, ... }: {
-    security.wrappers.ohno = {
-      owner = "root";
-      group = "root";
-      setuid = true;
-      source = "${pkgs.coreutils}/bin/whoami";
-    };
-    nix.settings.extra-sandbox-paths = ["/run/wrappers/bin"];
-  };
-  expressionFile = ./package.nix;
-}

tests/nixos/root-in-sandbox/package.nix

@@ -1,8 +0,0 @@
-{ runCommand }:
-runCommand "cant-get-root-in-sandbox" {} ''
-  if /run/wrappers/bin/ohno; then
-    echo "Oh no! We're root in the sandbox!"
-    exit 1
-  fi
-  touch $out
-''