feat(build): add embedded-sandbox-shell support for OCI builds

This adds an optional "embedded-sandbox-shell" feature that embeds the sandbox
shell binary directly into the build at compile time. This simplifies deployment
by removing the runtime dependency on SNIX_BUILD_SANDBOX_SHELL.

The implementation:
- Adds embedded-sandbox-shell feature flag in Cargo.toml
- Requires SNIX_BUILD_SANDBOX_SHELL at compile time for all Linux builds
- When feature is enabled: embeds binary contents at compile time
- When feature is disabled: bakes the path at compile time via option_env\!()
- Extracts embedded binary to temp directory at runtime (when feature enabled)
- Makes sandbox_shell configurable via URL query parameter for OCIBuildService
- Updates OCIBuildService to accept sandbox shell path as constructor parameter

This ensures the sandbox shell is always available without runtime environment
dependencies, whether as a baked path or embedded binary.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Change-Id: Ia5121f7872902d0d0b6afd2b99f45cb5d6537c77

Author: domenkozar

snix/Cargo.lock

@@ -13553,6 +13553,11 @@ rec {
             name = "prost";
             packageId = "prost";
           }
+          {
+            name = "serde";
+            packageId = "serde";
+            features = [ "derive" ];
+          }
           {
             name = "serde_json";
             packageId = "serde_json";
@@ -13627,7 +13632,7 @@ rec {
         features = {
           "tonic-reflection" = [ "dep:tonic-reflection" "snix-castore/tonic-reflection" ];
         };
-        resolvedDefaultFeatures = [ "default" "tonic-reflection" ];
+        resolvedDefaultFeatures = [ "default" "embedded-sandbox-shell" "tonic-reflection" ];
       };
       "snix-castore" = rec {
         crateName = "snix-castore";

snix/Cargo.nix

@@ -26,6 +26,7 @@ data-encoding = "2.5.0"
 futures = "0.3.30"
 oci-spec = "0.7.0"
 nix = { version = "0.29.0", features = ["user"] }
+serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.111"
 snix-tracing = { path = "../tracing" }
 uuid = { version = "1.7.0", features = ["v4"] }
@@ -37,6 +38,7 @@ tonic-build.workspace = true
 [features]
 default = []
 tonic-reflection = ["dep:tonic-reflection", "snix-castore/tonic-reflection"]
+embedded-sandbox-shell = []
 
 [dev-dependencies]
 rstest.workspace = true

snix/build/Cargo.toml

@@ -1,6 +1,29 @@
 use std::io::Result;
 
 fn main() -> Result<()> {
+    // SNIX_BUILD_SANDBOX_SHELL is required at compile time for Linux builds
+    #[cfg(target_os = "linux")]
+    {
+        if let Ok(shell_path) = std::env::var("SNIX_BUILD_SANDBOX_SHELL") {
+            // Tell cargo to rerun if the sandbox shell binary changes
+            println!("cargo:rerun-if-changed={}", shell_path);
+
+            // When embedded-sandbox-shell feature is enabled, verify the file exists
+            #[cfg(feature = "embedded-sandbox-shell")]
+            {
+                if !std::path::Path::new(&shell_path).exists() {
+                    panic!(
+                        "SNIX_BUILD_SANDBOX_SHELL points to non-existent file: {}",
+                        shell_path
+                    );
+                }
+            }
+        } else {
+            panic!(
+                "SNIX_BUILD_SANDBOX_SHELL environment variable must be set at compile time for Linux builds"
+            );
+        }
+    }
     #[allow(unused_mut)]
     let mut builder = tonic_build::configure();
 

snix/build/build.rs

@@ -1,10 +1,143 @@
 use super::{BuildService, DummyBuildService, grpc::GRPCBuildService};
+use serde::Deserialize;
 use snix_castore::{blobservice::BlobService, directoryservice::DirectoryService};
+use std::path::PathBuf;
+#[cfg(all(target_os = "linux", feature = "embedded-sandbox-shell"))]
+use std::sync::OnceLock;
 use url::Url;
 
 #[cfg(target_os = "linux")]
 use super::oci::OCIBuildService;
 
+/// Compile-time path to sandbox shell (when embedded-sandbox-shell feature is disabled)
+#[cfg(all(target_os = "linux", not(feature = "embedded-sandbox-shell")))]
+const SNIX_BUILD_SANDBOX_SHELL: Option<&str> = option_env!("SNIX_BUILD_SANDBOX_SHELL");
+
+/// Extract the embedded sandbox shell binary to a temporary location and return its path
+#[cfg(all(target_os = "linux", feature = "embedded-sandbox-shell"))]
+fn get_embedded_sandbox_shell_path() -> Result<PathBuf, std::io::Error> {
+    use std::fs;
+    use std::os::unix::fs::PermissionsExt;
+    use std::sync::Mutex;
+
+    static EXTRACTED_SANDBOX_SHELL_PATH: OnceLock<Result<PathBuf, String>> = OnceLock::new();
+    static INIT_MUTEX: Mutex<()> = Mutex::new(());
+
+    // The embedded sandbox shell binary (included at compile time)
+    static EMBEDDED_SANDBOX_SHELL_BINARY: &[u8] = include_bytes!(env!("SNIX_BUILD_SANDBOX_SHELL"));
+
+    let result = EXTRACTED_SANDBOX_SHELL_PATH.get_or_init(|| {
+        let _guard = INIT_MUTEX.lock().unwrap();
+
+        let temp_dir = std::env::temp_dir();
+        let sandbox_shell_path = temp_dir.join(format!("snix-sandbox-shell-{}", std::process::id()));
+
+        // Write the binary
+        if let Err(e) = fs::write(&sandbox_shell_path, EMBEDDED_SANDBOX_SHELL_BINARY) {
+            return Err(e.to_string());
+        }
+
+        // Make it executable
+        match fs::metadata(&sandbox_shell_path) {
+            Ok(metadata) => {
+                let mut perms = metadata.permissions();
+                perms.set_mode(0o755);
+                if let Err(e) = fs::set_permissions(&sandbox_shell_path, perms) {
+                    return Err(e.to_string());
+                }
+            }
+            Err(e) => return Err(e.to_string()),
+        }
+
+        tracing::debug!(
+            ?sandbox_shell_path,
+            "extracted embedded sandbox shell binary"
+        );
+
+        Ok(sandbox_shell_path)
+    });
+
+    match result {
+        Ok(path) => Ok(path.clone()),
+        Err(e) => Err(std::io::Error::new(std::io::ErrorKind::Other, e.clone())),
+    }
+}
+
+/// Configuration for OCIBuildService
+#[cfg(target_os = "linux")]
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct OCIBuildServiceConfig {
+    /// Root path in which all bundles are created
+    pub bundle_root: PathBuf,
+
+    /// Path to the sandbox shell to use.
+    /// This needs to be a statically linked binary, or you must ensure all
+    /// dependencies are part of the build (which they usually are not).
+    #[serde(default = "default_sandbox_shell")]
+    pub sandbox_shell: PathBuf,
+    // TODO: make rootless_uid_gid configurable
+}
+
+#[cfg(target_os = "linux")]
+fn default_sandbox_shell() -> PathBuf {
+    // When embedded-sandbox-shell is enabled, extract and use the embedded binary
+    #[cfg(feature = "embedded-sandbox-shell")]
+    {
+        if let Ok(path) = get_embedded_sandbox_shell_path() {
+            return path;
+        }
+        tracing::warn!("failed to extract embedded sandbox shell");
+    }
+
+    // When embedded-sandbox-shell is disabled, use the compile-time path
+    #[cfg(not(feature = "embedded-sandbox-shell"))]
+    {
+        if let Some(path) = SNIX_BUILD_SANDBOX_SHELL {
+            return PathBuf::from(path);
+        }
+    }
+
+    panic!(
+        "No sandbox shell found. The OCI build service requires a statically linked shell binary.\n\
+        \n\
+        To build snix with nixpkgs, use one of these methods:\n\
+        1. Set SNIX_BUILD_SANDBOX_SHELL to a statically linked shell:\n\
+           export SNIX_BUILD_SANDBOX_SHELL=$(nix-build '<nixpkgs>' -A busybox-sandbox-shell --no-out-link)/bin/busybox\n\
+        \n\
+        2. Build with the embedded-sandbox-shell feature (also requires SNIX_BUILD_SANDBOX_SHELL at compile time):\n\
+           export SNIX_BUILD_SANDBOX_SHELL=$(nix-build '<nixpkgs>' -A busybox-sandbox-shell --no-out-link)/bin/busybox\n\
+           cargo build --features embedded-sandbox-shell\n\
+        \n\
+        3. Pass the shell path via URL query parameter:\n\
+           oci:///path/to/bundle?sandbox_shell=/path/to/static/shell"
+    );
+}
+
+#[cfg(target_os = "linux")]
+impl TryFrom<Url> for OCIBuildServiceConfig {
+    type Error = Box<dyn std::error::Error + Send + Sync>;
+
+    fn try_from(url: Url) -> Result<Self, Self::Error> {
+        // oci wants a path in which it creates bundles
+        if url.path().is_empty() {
+            return Err("oci needs a bundle dir as path".into());
+        }
+
+        // Parse sandbox_shell from query parameters
+        let query_pairs: std::collections::HashMap<_, _> = url.query_pairs().collect();
+        let sandbox_shell = query_pairs
+            .get("sandbox_shell")
+            .map(|s| PathBuf::from(s.as_ref()))
+            .unwrap_or_else(default_sandbox_shell);
+
+        Ok(OCIBuildServiceConfig {
+            bundle_root: url.path().into(),
+            sandbox_shell,
+        })
+    }
+}
+
 /// Constructs a new instance of a [BuildService] from an URI.
 ///
 /// The following schemes are supported by the following services:
@@ -32,17 +165,14 @@ where
         "dummy" => Box::<DummyBuildService>::default(),
         #[cfg(target_os = "linux")]
         "oci" => {
-            // oci wants a path in which it creates bundles.
-            if url.path().is_empty() {
-                Err(std::io::Error::other("oci needs a bundle dir as path"))?
-            }
-
-            // TODO: make sandbox shell and rootless_uid_gid
+            let config = OCIBuildServiceConfig::try_from(url)
+                .map_err(|e| std::io::Error::other(format!("invalid oci config: {}", e)))?;
 
             Box::new(OCIBuildService::new(
-                url.path().into(),
+                config.bundle_root,
                 blob_service,
                 directory_service,
+                config.sandbox_shell,
             ))
         }
         scheme => {

snix/build/src/buildservice/from_addr.rs

@@ -18,7 +18,6 @@ use std::{ffi::OsStr, path::PathBuf, process::Stdio};
 
 use super::BuildService;
 
-const SANDBOX_SHELL: &str = env!("SNIX_BUILD_SANDBOX_SHELL");
 const MAX_CONCURRENT_BUILDS: usize = 2; // TODO: make configurable
 
 pub struct OCIBuildService<BS, DS> {
@@ -30,13 +29,21 @@ pub struct OCIBuildService<BS, DS> {
     /// Handle to a [DirectoryService], used by filesystems spawned during builds.
     directory_service: DS,
 
+    /// Path to the sandbox shell to use
+    sandbox_shell: PathBuf,
+
     // semaphore to track number of concurrently running builds.
     // this is necessary, as otherwise we very quickly run out of open file handles.
     concurrent_builds: tokio::sync::Semaphore,
 }
 
 impl<BS, DS> OCIBuildService<BS, DS> {
-    pub fn new(bundle_root: PathBuf, blob_service: BS, directory_service: DS) -> Self {
+    pub fn new(
+        bundle_root: PathBuf,
+        blob_service: BS,
+        directory_service: DS,
+        sandbox_shell: PathBuf,
+    ) -> Self {
         // We map root inside the container to the uid/gid this is running at,
         // and allocate one for uid 1000 into the container from the range we
         // got in /etc/sub{u,g}id.
@@ -45,6 +52,7 @@ impl<BS, DS> OCIBuildService<BS, DS> {
             bundle_root,
             blob_service,
             directory_service,
+            sandbox_shell,
             concurrent_builds: tokio::sync::Semaphore::new(MAX_CONCURRENT_BUILDS),
         }
     }
@@ -66,7 +74,7 @@ where
         let span = Span::current();
         span.record("bundle_name", bundle_name.to_string());
 
-        let mut runtime_spec = make_spec(&request, true, SANDBOX_SHELL)
+        let mut runtime_spec = make_spec(&request, true, self.sandbox_shell.to_str().unwrap())
             .context("failed to create spec")
             .map_err(std::io::Error::other)?;
 

snix/build/src/buildservice/oci.rs

@@ -67,7 +67,7 @@ in
     inherit cargoDeps src;
     name = "snix-rust-docs";
     PROTO_ROOT = protos;
-    SNIX_BUILD_SANDBOX_SHELL = "/homeless-shelter";
+    SNIX_BUILD_SANDBOX_SHELL = if pkgs.stdenv.isLinux then pkgs.busybox-sandbox-shell + "/bin/busybox" else "/bin/sh";
 
     nativeBuildInputs = with pkgs; [
       cargo
@@ -93,7 +93,7 @@ in
     inherit cargoDeps src;
     name = "snix-clippy";
     PROTO_ROOT = protos;
-    SNIX_BUILD_SANDBOX_SHELL = "/homeless-shelter";
+    SNIX_BUILD_SANDBOX_SHELL = if pkgs.stdenv.isLinux then pkgs.busybox-sandbox-shell + "/bin/busybox" else "/bin/sh";
 
     buildInputs = [
       pkgs.fuse