Run test to determine if sandboxing is available

adds smEnabledIfAvailable option that will run a check where possible
to determine if user namespaces are supported.

src/libstore/build.cc

@@ -1839,6 +1839,9 @@ static void preloadNSS() {
     });
 }
 
+// Used in the clone call to detect sandboxing availability.
+int testChildFn() { return 0; }
+
 void DerivationGoal::startBuilder()
 {
     /* Right platform? */
@@ -1875,6 +1878,28 @@ void DerivationGoal::startBuilder()
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
             useChroot = !fixedOutput && !noChroot;
+        else if (settings.sandboxMode == smEnabledIfAvailable) {
+            useChroot = true;
+#if __linux__
+            // Enable sandboxing only if the system supports it. A
+            // clone is tried to determine if it works. Success
+            // indicates sandboxing can be enabled, otherwise disable
+            // sandboxing
+
+            int flags = CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
+            size_t stackSize = 1;
+            char* stack = malloc(stackSize);
+            pid_t child = clone(NULL, stack + stackSize, flags, NULL);
+
+            if (child > -1)
+                kill(child, SIGKILL);
+
+            if (child == -1 ) {
+                printError("warning: test cloning failed, sandboxing is disabled");
+                useChroot = false;
+            }
+#endif
+        }
     }
 
     if (worker.store.storeDir != worker.store.realStoreDir) {

src/libstore/globals.hh

@@ -11,7 +11,7 @@
 
 namespace nix {
 
-typedef enum { smEnabled, smRelaxed, smDisabled } SandboxMode;
+typedef enum { smEnabled, smEnabledIfAvailable, smRelaxed, smDisabled } SandboxMode;
 
 struct MaxBuildJobsSetting : public BaseSetting<unsigned int>
 {
@@ -197,7 +197,7 @@ public:
 
     Setting<SandboxMode> sandboxMode{this,
         #if __linux__
-          smEnabled
+          smEnabledIfAvailable
         #else
           smDisabled
         #endif