libstore: check additionalSandboxProfile

Make sure that `extraSandboxProfile` is set before we check whether it's
empty or not (in the `sandbox=true` case).

Also adds a test case for this.

Co-Authored-By: Artemis Tosini <lix@artem.ist>
Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
This commit is contained in:
Théophane Hufschmitt 2024-05-06 15:10:18 +02:00
parent 20445dfeaf
commit 9bd1191fcc
4 changed files with 47 additions and 4 deletions

View File

@ -177,6 +177,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
void LocalDerivationGoal::tryLocalBuild() void LocalDerivationGoal::tryLocalBuild()
{ {
#if __APPLE__
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
unsigned int curBuilds = worker.getNrLocalBuilds(); unsigned int curBuilds = worker.getNrLocalBuilds();
if (curBuilds >= settings.maxBuildJobs) { if (curBuilds >= settings.maxBuildJobs) {
state = &DerivationGoal::tryToBuild; state = &DerivationGoal::tryToBuild;
@ -495,10 +499,6 @@ void LocalDerivationGoal::startBuilder()
settings.thisSystem, settings.thisSystem,
concatStringsSep<StringSet>(", ", worker.store.systemFeatures)); concatStringsSep<StringSet>(", ", worker.store.systemFeatures));
#if __APPLE__
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
/* Create a temporary directory where the build will take /* Create a temporary directory where the build will take
place. */ place. */
tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700); tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);

View File

@ -0,0 +1,19 @@
{ destFile, seed }:
with import ./config.nix;
mkDerivation {
name = "simple";
__sandboxProfile = ''
# Allow writing any file in the filesystem
(allow file*)
'';
inherit seed;
buildCommand = ''
(
set -x
touch ${destFile}
touch $out
)
'';
}

View File

@ -0,0 +1,23 @@
source common.sh
if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
DEST_FILE="${TEST_ROOT}/foo"
testSandboxProfile () (
set -e
sandboxMode="$1"
rm -f "${DEST_FILE}"
nix-build --no-out-link ./extra-sandbox-profile.nix \
--option sandbox "$sandboxMode" \
--argstr seed "$RANDOM" \
--argstr destFile "${DEST_FILE}"
ls -l "${DEST_FILE}"
)
testSandboxProfile "false"
expectStderr 2 testSandboxProfile "true"
testSandboxProfile "relaxed"

View File

@ -130,6 +130,7 @@ nix_tests = \
nested-sandboxing.sh \ nested-sandboxing.sh \
impure-env.sh \ impure-env.sh \
debugger.sh \ debugger.sh \
extra-sandbox-profile.sh \
help.sh help.sh
ifeq ($(HAVE_LIBCPUID), 1) ifeq ($(HAVE_LIBCPUID), 1)