From b7fd872147ad1d3d91c8068686c37508199ba96e Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 28 May 2025 13:04:09 +0200
Subject: [PATCH 1/3] Cleanup

---
 src/libstore/unix/build/linux-derivation-builder.cc | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/libstore/unix/build/linux-derivation-builder.cc b/src/libstore/unix/build/linux-derivation-builder.cc
index 23850c373..fe62314f2 100644
--- a/src/libstore/unix/build/linux-derivation-builder.cc
+++ b/src/libstore/unix/build/linux-derivation-builder.cc
@@ -190,11 +190,7 @@ struct LinuxDerivationBuilder : DerivationBuilderImpl
      */
     std::optional<Path> cgroup;
 
-    LinuxDerivationBuilder(
-        Store & store, std::unique_ptr<DerivationBuilderCallbacks> miscMethods, DerivationBuilderParams params)
-        : DerivationBuilderImpl(store, std::move(miscMethods), std::move(params))
-    {
-    }
+    using DerivationBuilderImpl::DerivationBuilderImpl;
 
     void deleteTmpDir(bool force) override
     {

From 4dc419eaec84ca82abe0161a67f2596b04c8b75d Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 29 May 2025 21:57:25 +0200
Subject: [PATCH 2/3] Split LinuxDerivationBuilder

This restores doing seccomp/personality initialization even when
sandboxing is disabled.

https://hydra.nixos.org/build/298482132
---
 src/libstore/unix/build/derivation-builder.cc |  7 ++++++-
 .../unix/build/linux-derivation-builder.cc    | 20 +++++++++++++------
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
index 9935400b9..232a125e4 100644
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@@ -2157,7 +2157,7 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
     }
 
     if (useSandbox)
-        return std::make_unique<LinuxDerivationBuilder>(
+        return std::make_unique<ChrootLinuxDerivationBuilder>(
             store,
             std::move(miscMethods),
             std::move(params));
@@ -2172,6 +2172,11 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
         std::move(miscMethods),
         std::move(params),
         useSandbox);
+    #elif defined(__linux__)
+    return std::make_unique<LinuxDerivationBuilder>(
+        store,
+        std::move(miscMethods),
+        std::move(params));
     #else
     if (useSandbox)
         throw Error("sandboxing builds is not supported on this platform");
diff --git a/src/libstore/unix/build/linux-derivation-builder.cc b/src/libstore/unix/build/linux-derivation-builder.cc
index fe62314f2..c27b87163 100644
--- a/src/libstore/unix/build/linux-derivation-builder.cc
+++ b/src/libstore/unix/build/linux-derivation-builder.cc
@@ -154,6 +154,18 @@ static void doBind(const Path & source, const Path & target, bool optional = fal
 }
 
 struct LinuxDerivationBuilder : DerivationBuilderImpl
+{
+    using DerivationBuilderImpl::DerivationBuilderImpl;
+
+    void enterChroot() override
+    {
+        setupSeccomp();
+
+        linux::setPersonality(drv.platform);
+    }
+};
+
+struct ChrootLinuxDerivationBuilder : LinuxDerivationBuilder
 {
     /**
      * Pipe for synchronising updates to the builder namespaces.
@@ -190,7 +202,7 @@ struct LinuxDerivationBuilder : DerivationBuilderImpl
      */
     std::optional<Path> cgroup;
 
-    using DerivationBuilderImpl::DerivationBuilderImpl;
+    using LinuxDerivationBuilder::LinuxDerivationBuilder;
 
     void deleteTmpDir(bool force) override
     {
@@ -772,11 +784,7 @@ struct LinuxDerivationBuilder : DerivationBuilderImpl
         if (rmdir("real-root") == -1)
             throw SysError("cannot remove real-root directory");
 
-        // FIXME: move to LinuxDerivationBuilder
-        setupSeccomp();
-
-        // FIXME: move to LinuxDerivationBuilder
-        linux::setPersonality(drv.platform);
+        LinuxDerivationBuilder::enterChroot();
     }
 
     void setUser() override

From 908129eb2216863e4761730741779b5d21a886f5 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Fri, 30 May 2025 11:54:54 +0200
Subject: [PATCH 3/3] Cleanup

---
 src/libstore/unix/build/derivation-builder.cc | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
index 232a125e4..eca017487 100644
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@@ -2147,13 +2147,11 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
     }
 
     #ifdef __linux__
-    if (useSandbox) {
-        if (!mountAndPidNamespacesSupported()) {
-            if (!settings.sandboxFallback)
-                throw Error("this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing");
-            debug("auto-disabling sandboxing because the prerequisite namespaces are not available");
-            useSandbox = false;
-        }
+    if (useSandbox && !mountAndPidNamespacesSupported()) {
+        if (!settings.sandboxFallback)
+            throw Error("this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing");
+        debug("auto-disabling sandboxing because the prerequisite namespaces are not available");
+        useSandbox = false;
     }
 
     if (useSandbox)
@@ -2163,7 +2161,7 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
             std::move(params));
     #endif
 
-    if (params.drvOptions.useUidRange(params.drv))
+    if (!useSandbox && params.drvOptions.useUidRange(params.drv))
         throw Error("feature 'uid-range' is only supported in sandboxed builds");
 
     #ifdef __APPLE__