Pasta: a network sandbox for fixed-output derivations

Introduction

This section only applies to Linux systems as Pasta is a Linux-only measure.

Since CVE-2025-46416, the Lix project decided to adopt Pasta for all fixed-output derivations, protecting against various attack vectors such as UNIX abstract domain sockets or more manipulation at the network layer from a malicious fixed-output derivation code.

Pasta acts as a translation layer between a layer-2 network interface and layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on the host. It requires no special privileges and can serve as a alternative to SLiRP which was used by Guix to mitigate the same problem.

How to disable Pasta?

It's sufficient to pass pasta-path = "" in your /etc/nix/nix.conf or on the command line --pasta-path "" of a Lix invocation.

Known issues surrounding Pasta

Only the first DNS server in /etc/resolv.conf is considered: failover is not possible.
Reduced feature set compared to the Linux kernel
Performance overhead in multi-gigabits contexts and IMIX MTUs

Lix Reference Manual

Pasta: a network sandbox for fixed-output derivations

Introduction

How to disable Pasta?

Known issues surrounding Pasta