mirror of
https://github.com/NixOS/nix.git
synced 2024-11-25 08:12:29 +00:00
libstore: check additionalSandboxProfile
Make sure that `extraSandboxProfile` is set before we check whether it's empty or not (in the `sandbox=true` case). Also adds a test case for this. Co-Authored-By: Artemis Tosini <lix@artem.ist> Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
This commit is contained in:
parent
20445dfeaf
commit
9bd1191fcc
@ -177,6 +177,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
|
|||||||
|
|
||||||
void LocalDerivationGoal::tryLocalBuild()
|
void LocalDerivationGoal::tryLocalBuild()
|
||||||
{
|
{
|
||||||
|
#if __APPLE__
|
||||||
|
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||||
|
#endif
|
||||||
|
|
||||||
unsigned int curBuilds = worker.getNrLocalBuilds();
|
unsigned int curBuilds = worker.getNrLocalBuilds();
|
||||||
if (curBuilds >= settings.maxBuildJobs) {
|
if (curBuilds >= settings.maxBuildJobs) {
|
||||||
state = &DerivationGoal::tryToBuild;
|
state = &DerivationGoal::tryToBuild;
|
||||||
@ -495,10 +499,6 @@ void LocalDerivationGoal::startBuilder()
|
|||||||
settings.thisSystem,
|
settings.thisSystem,
|
||||||
concatStringsSep<StringSet>(", ", worker.store.systemFeatures));
|
concatStringsSep<StringSet>(", ", worker.store.systemFeatures));
|
||||||
|
|
||||||
#if __APPLE__
|
|
||||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Create a temporary directory where the build will take
|
/* Create a temporary directory where the build will take
|
||||||
place. */
|
place. */
|
||||||
tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
||||||
|
19
tests/functional/extra-sandbox-profile.nix
Normal file
19
tests/functional/extra-sandbox-profile.nix
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{ destFile, seed }:
|
||||||
|
|
||||||
|
with import ./config.nix;
|
||||||
|
|
||||||
|
mkDerivation {
|
||||||
|
name = "simple";
|
||||||
|
__sandboxProfile = ''
|
||||||
|
# Allow writing any file in the filesystem
|
||||||
|
(allow file*)
|
||||||
|
'';
|
||||||
|
inherit seed;
|
||||||
|
buildCommand = ''
|
||||||
|
(
|
||||||
|
set -x
|
||||||
|
touch ${destFile}
|
||||||
|
touch $out
|
||||||
|
)
|
||||||
|
'';
|
||||||
|
}
|
23
tests/functional/extra-sandbox-profile.sh
Normal file
23
tests/functional/extra-sandbox-profile.sh
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
source common.sh
|
||||||
|
|
||||||
|
if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
|
||||||
|
|
||||||
|
DEST_FILE="${TEST_ROOT}/foo"
|
||||||
|
|
||||||
|
testSandboxProfile () (
|
||||||
|
set -e
|
||||||
|
|
||||||
|
sandboxMode="$1"
|
||||||
|
|
||||||
|
rm -f "${DEST_FILE}"
|
||||||
|
nix-build --no-out-link ./extra-sandbox-profile.nix \
|
||||||
|
--option sandbox "$sandboxMode" \
|
||||||
|
--argstr seed "$RANDOM" \
|
||||||
|
--argstr destFile "${DEST_FILE}"
|
||||||
|
|
||||||
|
ls -l "${DEST_FILE}"
|
||||||
|
)
|
||||||
|
|
||||||
|
testSandboxProfile "false"
|
||||||
|
expectStderr 2 testSandboxProfile "true"
|
||||||
|
testSandboxProfile "relaxed"
|
@ -130,6 +130,7 @@ nix_tests = \
|
|||||||
nested-sandboxing.sh \
|
nested-sandboxing.sh \
|
||||||
impure-env.sh \
|
impure-env.sh \
|
||||||
debugger.sh \
|
debugger.sh \
|
||||||
|
extra-sandbox-profile.sh \
|
||||||
help.sh
|
help.sh
|
||||||
|
|
||||||
ifeq ($(HAVE_LIBCPUID), 1)
|
ifeq ($(HAVE_LIBCPUID), 1)
|
||||||
|
Loading…
Reference in New Issue
Block a user