nordic-dev.net/nix
nordic-dev.net/nix
2
0
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2024-11-25 08:12:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix the access of symlinks to host files in the sandbox

Browse Source 
https://github.com/NixOS/nix/pull/10456 fixed the addition of symlink
store paths to the sandbox, but also made it so that the hardcoded
sandbox paths (like `/etc/hosts`) were now bind-mounted without
following the possible symlinks. This made these files unreadable if
there were symlinks (because the sandbox would now contain a symlink to
an unreachable file rather than the underlying file).
In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a
symlink there.

Fix that by canonicalizing all these hardcoded sandbox paths before
adding them to the sandbox.

(cherry picked from commit acbb1523c1)
(cherry picked from commit 1cc79f1343)

# Conflicts:
#	tests/functional/linux-sandbox.sh
This commit is contained in:
Théophane Hufschmitt 2024-04-12 15:57:53 +02:00 committed by Mergify
parent e393ee3fdb
commit 90e847698b
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
tests/functional/linux-sandbox.sh
View File

@ -61,11 +61,17 @@ testCert () {
nocert=$TEST_ROOT/no-cert-file.pem nocert=$TEST_ROOT/no-cert-file.pem
cert=$TEST_ROOT/some-cert-file.pem cert=$TEST_ROOT/some-cert-file.pem
symlinkcert=$TEST_ROOT/symlink-cert-file.pem symlinkcert=$TEST_ROOT/symlink-cert-file.pem
<<<<<<< HEAD
transitivesymlinkcert=$TEST_ROOT/transitive-symlink-cert-file.pem transitivesymlinkcert=$TEST_ROOT/transitive-symlink-cert-file.pem
symlinkDir=$TEST_ROOT/symlink-dir symlinkDir=$TEST_ROOT/symlink-dir
echo -n "CERT_CONTENT" > $cert echo -n "CERT_CONTENT" > $cert
ln -s $cert $symlinkcert ln -s $cert $symlinkcert
ln -s $symlinkcert $transitivesymlinkcert ln -s $symlinkcert $transitivesymlinkcert
=======
symlinkDir=$TEST_ROOT/symlink-dir
echo -n "CERT_CONTENT" > $cert
ln -s $cert $symlinkcert
>>>>>>> 1cc79f134 (Fix the access of symlinks to host files in the sandbox)
ln -s $TEST_ROOT $symlinkDir ln -s $TEST_ROOT $symlinkDir
# No cert in sandbox when not a fixed-output derivation # No cert in sandbox when not a fixed-output derivation
@ -80,9 +86,14 @@ testCert missing fixed-output "$nocert"
# Cert in sandbox when ssl-cert-file is set to an existing file # Cert in sandbox when ssl-cert-file is set to an existing file
testCert present fixed-output "$cert" testCert present fixed-output "$cert"
<<<<<<< HEAD
# Cert in sandbox when ssl-cert-file is set to a (potentially transitive) symlink to an existing file # Cert in sandbox when ssl-cert-file is set to a (potentially transitive) symlink to an existing file
testCert present fixed-output "$symlinkcert" testCert present fixed-output "$symlinkcert"
testCert present fixed-output "$transitivesymlinkcert" testCert present fixed-output "$transitivesymlinkcert"
=======
# Cert in sandbox when ssl-cert-file is set to a symlink to an existing file
testCert present fixed-output "$symlinkcert"
>>>>>>> 1cc79f134 (Fix the access of symlinks to host files in the sandbox)
# Symlinks should be added in the sandbox directly and not followed # Symlinks should be added in the sandbox directly and not followed
nix-sandbox-build symlink-derivation.nix -A depends_on_symlink nix-sandbox-build symlink-derivation.nix -A depends_on_symlink