System V IPC objects not cleaned up with Darwin Sandbox

[wolfgangwalther]

Describe the bug

The darwin sandbox does not clean up System V IPC objects.

Steps To Reproduce

On a darwin system:

1. Run:

nix-build --no-link -E 'with import <nixpkgs> {};
stdenv.mkDerivation {
  name = "ipc";
  dontUnpack = true;
  doCheck = true;
  nativeCheckInputs = [ postgresqlTestHook postgresql ];
  checkPhase = "runHook preCheck; sleep 1000";
}'`

2. Cancel the sleeping build.
3. Run ipcs -ma and see the left-over shared memory segment belonging to a build user.

(you can clean up with ipcrm -m <ID>)

Expected behavior

ipcs -ma should not return any left-over shared memory segments.

Metadata

nix-env (Nix) 2.24.12

Additional context

More details about my analysis:

• Build failure: postgresql on darwin nixpkgs#371242 (comment)

The Linux sandbox mentions IPC cleanup explicitly:

• nix/src/libstore/unix/build/local-derivation-goal.cc

  Lines 959 to 963 in d904921

  	- The IPC namespace prevents the builder from communicating
  	with outside processes using SysV IPC mechanisms (shared
  	memory, message queues, semaphores). It also ensures
  	that all IPC objects are destroyed when the builder
  	exits.

Various tickets which are all caused by this:

• Build failure: postgresql on darwin nixpkgs#371242
• pgx_ulid: init at 0.2.0 nixpkgs#371463 (comment)
• PostgreSQL tests fail on Hydra (darwin) nixpkgs#198495
• https://discourse.nixos.org/t/nixbld-leaving-around-shared-memory-segments/30043
• and some more cases where PostgreSQL-related tests are disabled for Darwin

Checklist

• checked latest Nix manual (source)
• checked open bug issues and pull requests for possible duplicates

---

Add 👍 to issues you find important.