revert(tvix): "Disable sandboxing by default until its time comes" r/1768

This reverts commit a41c3dedb18201aa689206079e203f41c9bef389.

Reason for revert: I believe its time has come.

Change-Id: I4133dc8a3b57b40b280646d1622ed7a0409c5246
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1941
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: kanepyork <rikingcoding@gmail.com>

1 files changed, 15 insertions, 8 deletions

diff --git a/third_party/nix/src/libstore/globals.hh b/third_party/nix/src/libstore/globals.hh
index 29848fbb4b7a..ed9b6a338e96 100644
--- a/third_party/nix/src/libstore/globals.hh
+++ b/third_party/nix/src/libstore/globals.hh
@@ -243,14 +243,21 @@ class Settings : public Config {
       this, false, "show-trace",
       "Whether to show a stack trace on evaluation errors."};
 
-  Setting<SandboxMode> sandboxMode{
-      this,
-      // TODO(tazjin): Turn sandboxing back on once it is time.
-      smDisabled,
-      "sandbox",
-      "Whether to enable sandboxed builds. Can be \"true\", \"false\" or "
-      "\"relaxed\".",
-      {"build-use-chroot", "build-use-sandbox"}};
+  Setting<SandboxMode> sandboxMode {
+    this,
+#if __linux__
+        smEnabled
+#else
+        smDisabled
+#endif
+        ,
+        "sandbox",
+        "Whether to enable sandboxed builds. Can be \"true\", \"false\" or "
+        "\"relaxed\".",
+    {
+      "build-use-chroot", "build-use-sandbox"
+    }
+  };
 
   Setting<PathSet> sandboxPaths{
       this,