Merge pull request #11534 from fricklerhandwerk/backport-10652-to-2.18-maintenance

[backport 2.18] libstore: check additionalSandboxProfile

src/libstore/build/local-derivation-goal.cc

@@ -172,6 +172,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
 
 void LocalDerivationGoal::tryLocalBuild()
 {
+#if __APPLE__
+    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
+#endif
+
     unsigned int curBuilds = worker.getNrLocalBuilds();
     if (curBuilds >= settings.maxBuildJobs) {
         state = &DerivationGoal::tryToBuild;
@@ -478,10 +482,6 @@ void LocalDerivationGoal::startBuilder()
             settings.thisSystem,
             concatStringsSep<StringSet>(", ", worker.store.systemFeatures));
 
-#if __APPLE__
-    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
-#endif
-
     /* Create a temporary directory where the build will take
        place. */
     topTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);

tests/functional/extra-sandbox-profile.nix

@@ -0,0 +1,19 @@
+{ destFile, seed }:
+
+with import ./config.nix;
+
+mkDerivation {
+  name = "simple";
+  __sandboxProfile = ''
+    # Allow writing any file in the filesystem
+    (allow file*)
+  '';
+  inherit seed;
+  buildCommand = ''
+    (
+      set -x
+      touch ${destFile}
+      touch $out
+    )
+  '';
+}

tests/functional/extra-sandbox-profile.sh

@@ -0,0 +1,23 @@
+source common.sh
+
+if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
+
+DEST_FILE="${TEST_ROOT}/foo"
+
+testSandboxProfile () (
+    set -e
+
+    sandboxMode="$1"
+
+    rm -f "${DEST_FILE}"
+    nix-build --no-out-link ./extra-sandbox-profile.nix \
+        --option sandbox "$sandboxMode" \
+        --argstr seed "$RANDOM" \
+        --argstr destFile "${DEST_FILE}"
+
+    ls -l "${DEST_FILE}"
+)
+
+testSandboxProfile "false"
+expectStderr 2 testSandboxProfile "true"
+testSandboxProfile "relaxed"