# Phase 6.2: FreeBSD jail and build-user isolation integrated into the live build path

Date: 2026-04-01

## Summary

This step takes the earlier FreeBSD jail and privilege-drop prototypes and moves them into a real package build submitted through the live Fruix/Guix daemon path.

Added files:

- `tests/daemon/freebsd-drop-exec.c`
- `tests/guix/run-phase6-jail-package-build.sh`

## Validation command

Run command:

```sh
METADATA_OUT=/tmp/phase6-jail-package-metadata.txt \
./tests/guix/run-phase6-jail-package-build.sh
```

## What the harness does

The harness:

1. reuses the patched Phase 5 checkout/runtime setup
2. fetches GNU Hello `2.12.3` and verifies the expected SHA256
3. starts the patched daemon on a temporary Unix socket
4. generates a package file that inherits from Guix's real `hello` package definition
5. lowers that package through a FreeBSD-specific build system whose builder:
   - compiles `freebsd-drop-exec`
   - creates a thin jail root
   - mounts a minimal host tool view with explicit `nullfs` mounts
   - mounts the source tarball read-only
   - mounts per-build writable work/output areas
   - enters the jail
   - drops to UID/GID `35001:35001`
   - runs the GNU Hello configure/build/check/install sequence inside the jail
6. copies the staged result back to the real `/frx/store` output path
7. validates runtime output, jail metadata, and preserved source references

## Observed results

Observed metadata included:

- `drv_path=/frx/store/...-hello-2.12.3.drv`
- `out_path=/frx/store/...-hello-2.12.3`
- `runtime_output=Hello, world!`
- `build_uid=35001`
- `build_gid=35001`
- `jail_hostname=fruix-phase6-hello-...`
- `build_mode=freebsd-jail`
- `source_store_path=/frx/store/...-hello-2.12.3.tar.gz`

The GNU Hello test suite also passed inside the jail build path.

## Important findings

- this is no longer a separate subsystem prototype; a real package build submitted through the daemon now executes under FreeBSD jail isolation with dropped build credentials
- the daemon's host `TMPDIR` path was not automatically meaningful inside the jail, so the integrated build path had to reset `TMPDIR=/tmp` inside the jailed builder environment
- a small helper binary was still needed to perform the post-`jexec` UID/GID drop reliably using numeric build identities on FreeBSD
- the output preserved a direct reference to the source tarball store item, so the integrated jail path still maintains the store-reference expectations established in Phase 6.1

## Conclusion

Phase 6.2 is satisfied on the current FreeBSD prototype track:

- a real Fruix/Guix package build now runs inside a FreeBSD jail
- the actual build work executes as a dropped numeric build user (`35001:35001`)
- the build succeeds into `/frx/store`
- the previously separate jail/build-user validation work is now connected to the live package-build path