diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index c9346c33deffc..c31245352846f 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -262,7 +262,9 @@ in interpreter = mkDefault interpreterReg; fixBinary = mkDefault useStaticEmulator; wrapInterpreterInShell = mkDefault (!config.preserveArgvZero && !config.fixBinary); - interpreterSandboxPath = mkDefault (dirOf (dirOf config.interpreter)); + interpreterSandboxPath = mkDefault ( + if config.fixBinary then null else dirOf (dirOf config.interpreter) + ); } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}")) ); @@ -276,10 +278,13 @@ in let ruleFor = system: cfg.registrations.${system}; hasWrappedRule = lib.any (system: (ruleFor system).wrapInterpreterInShell) cfg.emulatedSystems; + allFixBinary = lib.all (system: (ruleFor system).fixBinary) cfg.emulatedSystems; in - [ "/run/binfmt" ] + lib.optional (!allFixBinary) "/run/binfmt" ++ lib.optional hasWrappedRule "${pkgs.bash}" - ++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems); + ++ lib.filter (x: x != null) ( + map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems + ); }; environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf" ( diff --git a/nixos/tests/systemd-binfmt.nix b/nixos/tests/systemd-binfmt.nix index 33d6cdf51de2f..bab073954a9a0 100644 --- a/nixos/tests/systemd-binfmt.nix +++ b/nixos/tests/systemd-binfmt.nix @@ -103,7 +103,12 @@ in chroot = makeTest { name = "systemd-binfmt-chroot"; nodes.machine = - { pkgs, lib, ... }: + { + pkgs, + lib, + config, + ... + }: { boot.binfmt.emulatedSystems = [ "aarch64-linux" @@ -121,6 +126,13 @@ in echo 42 | chroot /tmp/chroot /yaml2json | grep 42 '') ]; + + assertions = [ + { + assertion = config.nix.settings.extra-sandbox-paths == [ ]; + message = "Using binfmt_misc with static emulators, nix.settings.extra-sandbox-paths should be empty"; + } + ]; }; testScript = '' machine.start()