From 90e847698bf788e045c3a96d27a8ac0b3f219c02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?=
 <theophane.hufschmitt@tweag.io>
Date: Fri, 12 Apr 2024 15:57:53 +0200
Subject: [PATCH] Fix the access of symlinks to host files in the sandbox

https://github.com/NixOS/nix/pull/10456 fixed the addition of symlink
store paths to the sandbox, but also made it so that the hardcoded
sandbox paths (like `/etc/hosts`) were now bind-mounted without
following the possible symlinks. This made these files unreadable if
there were symlinks (because the sandbox would now contain a symlink to
an unreachable file rather than the underlying file).
In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a
symlink there.

Fix that by canonicalizing all these hardcoded sandbox paths before
adding them to the sandbox.

(cherry picked from commit acbb1523c1dc28043d6dab729db696485938f969)
(cherry picked from commit 1cc79f134396a1ceaa745ddd5503f81ec0bbbaf0)

# Conflicts:
#	tests/functional/linux-sandbox.sh
---
 tests/functional/linux-sandbox.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh
index e553791d9..38af43a3e 100644
--- a/tests/functional/linux-sandbox.sh
+++ b/tests/functional/linux-sandbox.sh
@@ -61,11 +61,17 @@ testCert () {
 nocert=$TEST_ROOT/no-cert-file.pem
 cert=$TEST_ROOT/some-cert-file.pem
 symlinkcert=$TEST_ROOT/symlink-cert-file.pem
+<<<<<<< HEAD
 transitivesymlinkcert=$TEST_ROOT/transitive-symlink-cert-file.pem
 symlinkDir=$TEST_ROOT/symlink-dir
 echo -n "CERT_CONTENT" > $cert
 ln -s $cert $symlinkcert
 ln -s $symlinkcert $transitivesymlinkcert
+=======
+symlinkDir=$TEST_ROOT/symlink-dir
+echo -n "CERT_CONTENT" > $cert
+ln -s $cert $symlinkcert
+>>>>>>> 1cc79f134 (Fix the access of symlinks to host files in the sandbox)
 ln -s $TEST_ROOT $symlinkDir
 
 # No cert in sandbox when not a fixed-output derivation
@@ -80,9 +86,14 @@ testCert missing fixed-output "$nocert"
 # Cert in sandbox when ssl-cert-file is set to an existing file
 testCert present fixed-output "$cert"
 
+<<<<<<< HEAD
 # Cert in sandbox when ssl-cert-file is set to a (potentially transitive) symlink to an existing file
 testCert present fixed-output "$symlinkcert"
 testCert present fixed-output "$transitivesymlinkcert"
+=======
+# Cert in sandbox when ssl-cert-file is set to a symlink to an existing file
+testCert present fixed-output "$symlinkcert"
+>>>>>>> 1cc79f134 (Fix the access of symlinks to host files in the sandbox)
 
 # Symlinks should be added in the sandbox directly and not followed
 nix-sandbox-build symlink-derivation.nix -A depends_on_symlink