Alyssa Ross <hi@alyssa.is> writes:

> After some rather extensive debugging, I've determined that most of
> these are to do with not being able to set the setgid bit.  If I mask it
> off in git's adjust_shared_perm function, I get down to two failures.  I
> don't know enough about filesystem permissions to know why this wouldn't
> be allowed inside the sandbox if it is allowed normally, though.

Aha!  setuid and setgid permissions are disallowed in Nix builds using
seccomp[1].

So, I suppose it would be reasonable for us to either disable the test
suite, or try to disable just the tests that try to create setgid
things, unless you're open to adding a check for such a restriction and
skipping tests if so.  More than reasonable not to, though -- seccomp is
a nightmare and next to impossible to reasonably support as upstream.

[1]: https://github.com/NixOS/nix/blob/5038e1bec43a71c97ae7f8be07218a8a2edbb6a1/src/libstore/build.cc#L2678