Wrong seccomp BPF architecture when kernel and userland are running on different architectures

## Describe the bug

Let me preface this by saying that I understand that this is an edge case, and maybe there is no desire to ever support such environment, but I find it quite interesting, so perhaps it's worth fixing.

I've been playing with [apple/container](https://github.com/apple/container) lately, and one interesting thing about  it is that regardless of the selected container architecture, the Linux VM is always running natively as `aarch64`, and if the userland is built for `x86_64`, then the individual processes are started under Rosetta emulation, thanks to the `binfmt` registration.

This unfortunately results in some issues when running `nixos/nix` containers for `x86_64` architecture.

One such issue is that the sandbox builder is trying to load seccomp BPF for the architecture of the userland (as determined at the build-time), and not that of the running kernel.

See: [`src/libstore/unix/build/linux-derivation-builder.cc#L40`](https://github.com/NixOS/nix/blob/dcc71da7e899218161729edcf409ab6269aca392/src/libstore/unix/build/linux-derivation-builder.cc#L40)

## Steps To Reproduce

Start `NixOS/nix` container for `x86_64` architecture using [apple/container](https://github.com/apple/container) on macOS:

```shell
% container run -it --rm --arch x86_64 nixos/nix:2.33.2
```

Setup build environment (fails):

```shell
# nix develop nixpkgs#hello
error:
       … while setting up the build environment

       error: unable to load seccomp BPF program: Invalid argument
#
```

Setup build environment without seccomp BPF (works):

```shell
# nix --no-filter-syscalls develop nixpkgs#hello
#
```

## Expected behavior

`nix develop` build environment starts with seccomp BPF without any issues.

## Metadata

```shell
# nix-env --version
nix-env (Nix) 2.33.2
```

## Additional context

The container contains userland built for `x86_64`, which is running as `x86_64` under Rosetta emulation:

```shell
# uname -m
x86_64
```

Nix assumes that the whole system is `x86_64`:

```shell
# nix config show system
x86_64-linux
```

But the kernel is really running on `aarch64`:

```shell
# nix-shell --quiet -p sysctl --run 'sysctl -n kernel.arch'
aarch64
```

## Checklist

- [X] checked [latest Nix manual] \([source])
- [X] checked [open bug issues and pull requests] for possible duplicates

[latest Nix manual]: https://nix.dev/manual/nix/development/
[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
[open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug

---

Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Wrong seccomp BPF architecture when kernel and userland are running on different architectures #15153

Describe the bug

Steps To Reproduce

Expected behavior

Metadata

Additional context

Checklist

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Wrong seccomp BPF architecture when kernel and userland are running on different architectures #15153

Description

Describe the bug

Steps To Reproduce

Expected behavior

Metadata

Additional context

Checklist

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions