nix-user-chroot breaks sandboxing #102
Description
On an Ubuntu Jammy machine I cannot get nix to build with the sandbox enabled and sandbox fallback disabled.
To reproduce first ensure the following is added to ~/.config/nix/nix.conf:
sandbox-fallback = false
$ wget https://github.com/nix-community/nix-user-chroot/releases/download/1.2.2/nix-user-chroot-bin-1.2.2-x86_64-unknown-linux-musl -O nix-user-chroot
$ mkdir mynix
$ ./nix-user-chroot mynix bash -c "curl -L https://nixos.org/nix/install | bash"
Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
copying Nix to /nix/store...
installing 'nix-2.12.0'
error: creating sandboxed builder process using clone(), without sandbox-fallback: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.BKErg7AOml/unpack/nix-2.12.0-x86_64-linux/install: unable to install Nix into your default profile
However using bwrap works fine.
$ bwrap --version
bubblewrap 0.6.1
$ bwrap --unshare-user --uid $(id -u) --gid $(id -g) --die-with-parent --bind ./mynix /nix --proc /proc --dev /dev --tmpfs /tmp --bind /bin/ /bin/ --bind /etc/ /etc/ --bind /home/zmanji/ /home/zmanji/ --bind /lib/ /lib/ --bind /lib64 /lib64 --bind /sbin/ /sbin --bind /run /run --bind /usr/ /usr/ --bind /var/ /var/ bash -c "curl -L https://nixos.org/nix/install | bash"
Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
copying Nix to /nix/store...
installing 'nix-2.12.0'
building '/nix/store/0dg0zjj2j6hijn193x1215yssrg7n1xs-user-environment.drv'...
unpacking channels...
modifying /home/zmanji/.profile...
modifying /home/zmanji/.zshenv...
Installation finished! To ensure that the necessary environment
variables are set, either log in again, or type
. /home/zmanji/.nix-profile/etc/profile.d/nix.sh
in your shell.
I used strace to see what differences were there but I could not figure it out. Would it be possible to change nix-user-chroot to make the nested clone call work?