Merge pull request #10652 from tweag/check-additionalSandboxProfile

libstore: check additionalSandboxProfile
2024-11-21 22:32:26 +00:00 · 2024-05-06 17:59:25 +02:00 · 2024-05-06 17:59:25 +02:00 · 2926ef0e90
commit 2926ef0e90
parent 79f03b794c 9bd1191fcc
4 changed files with 47 additions and 4 deletions
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@ -177,6 +177,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)

 void LocalDerivationGoal::tryLocalBuild()
 {
+#if __APPLE__
+    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
+#endif
+
    unsigned int curBuilds = worker.getNrLocalBuilds();
    if (curBuilds >= settings.maxBuildJobs) {
        state = &DerivationGoal::tryToBuild;
@ -495,10 +499,6 @@ void LocalDerivationGoal::startBuilder()
            settings.thisSystem,
            concatStringsSep<StringSet>(", ", worker.store.systemFeatures));

-#if __APPLE__
-    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
-#endif
-
    /* Create a temporary directory where the build will take
       place. */
    tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
--- a/tests/functional/extra-sandbox-profile.nix
+++ b/tests/functional/extra-sandbox-profile.nix
@ -0,0 +1,19 @@
+{ destFile, seed }:
+
+with import ./config.nix;
+
+mkDerivation {
+  name = "simple";
+  __sandboxProfile = ''
+    # Allow writing any file in the filesystem
+    (allow file*)
+  '';
+  inherit seed;
+  buildCommand = ''
+    (
+      set -x
+      touch ${destFile}
+      touch $out
+    )
+  '';
+}
--- a/tests/functional/extra-sandbox-profile.sh
+++ b/tests/functional/extra-sandbox-profile.sh
@ -0,0 +1,23 @@
+source common.sh
+
+if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
+
+DEST_FILE="${TEST_ROOT}/foo"
+
+testSandboxProfile () (
+    set -e
+
+    sandboxMode="$1"
+
+    rm -f "${DEST_FILE}"
+    nix-build --no-out-link ./extra-sandbox-profile.nix \
+        --option sandbox "$sandboxMode" \
+        --argstr seed "$RANDOM" \
+        --argstr destFile "${DEST_FILE}"
+
+    ls -l "${DEST_FILE}"
+)
+
+testSandboxProfile "false"
+expectStderr 2 testSandboxProfile "true"
+testSandboxProfile "relaxed"
--- a/tests/functional/local.mk
+++ b/tests/functional/local.mk
@ -130,6 +130,7 @@ nix_tests = \
  nested-sandboxing.sh \
  impure-env.sh \
  debugger.sh \
+  extra-sandbox-profile.sh \
  help.sh

 ifeq ($(HAVE_LIBCPUID), 1)