libstore: Fix sandbox=relaxed
The fix for the Darwin vulnerability in ecdbc3b207
also broke setting `__sandboxProfile` when `sandbox=relaxed` or
`sandbox=false`. This cppnix change fixes `sandbox=relaxed` and
adds a suitable test.
Co-Authored-By: Artemis Tosini <lix@artem.ist>
Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
Change-Id: I40190f44f3e1d61846df1c7b89677c20a1488522
This commit is contained in:
parent
f782c8a60a
commit
adea821d87
4 changed files with 47 additions and 1 deletions
|
@ -175,6 +175,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
|
|||
|
||||
void LocalDerivationGoal::tryLocalBuild()
|
||||
{
|
||||
#if __APPLE__
|
||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||
#endif
|
||||
|
||||
unsigned int curBuilds = worker.getNrLocalBuilds();
|
||||
if (curBuilds >= settings.maxBuildJobs) {
|
||||
state = &DerivationGoal::tryToBuild;
|
||||
|
@ -193,7 +197,6 @@ void LocalDerivationGoal::tryLocalBuild()
|
|||
throw Error("derivation '%s' has '__noChroot' set, "
|
||||
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
|
||||
#if __APPLE__
|
||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||
if (additionalSandboxProfile != "")
|
||||
throw Error("derivation '%s' specifies a sandbox profile, "
|
||||
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));
|
||||
|
|
19
tests/functional/extra-sandbox-profile.nix
Normal file
19
tests/functional/extra-sandbox-profile.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{ destFile, seed }:
|
||||
|
||||
with import ./config.nix;
|
||||
|
||||
mkDerivation {
|
||||
name = "simple";
|
||||
__sandboxProfile = ''
|
||||
# Allow writing any file in the filesystem
|
||||
(allow file*)
|
||||
'';
|
||||
inherit seed;
|
||||
buildCommand = ''
|
||||
(
|
||||
set -x
|
||||
touch ${destFile}
|
||||
touch $out
|
||||
)
|
||||
'';
|
||||
}
|
23
tests/functional/extra-sandbox-profile.sh
Normal file
23
tests/functional/extra-sandbox-profile.sh
Normal file
|
@ -0,0 +1,23 @@
|
|||
source common.sh
|
||||
|
||||
if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
|
||||
|
||||
DEST_FILE="${TEST_ROOT}/foo"
|
||||
|
||||
testSandboxProfile () (
|
||||
set -e
|
||||
|
||||
sandboxMode="$1"
|
||||
|
||||
rm -f "${DEST_FILE}"
|
||||
nix-build --no-out-link ./extra-sandbox-profile.nix \
|
||||
--option sandbox "$sandboxMode" \
|
||||
--argstr seed "$RANDOM" \
|
||||
--argstr destFile "${DEST_FILE}"
|
||||
|
||||
ls -l "${DEST_FILE}"
|
||||
)
|
||||
|
||||
testSandboxProfile "false"
|
||||
expectStderr 2 testSandboxProfile "true"
|
||||
testSandboxProfile "relaxed"
|
|
@ -182,6 +182,7 @@ functional_tests_scripts = [
|
|||
'debugger.sh',
|
||||
'plugins.sh',
|
||||
'test-libstoreconsumer.sh',
|
||||
'extra-sandbox-profile.sh',
|
||||
]
|
||||
|
||||
# TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make
|
||||
|
|
Loading…
Reference in a new issue