libstore: Fix sandbox=relaxed

The fix for the Darwin vulnerability in ecdbc3b207
also broke setting `__sandboxProfile` when `sandbox=relaxed` or
`sandbox=false`. This cppnix change fixes `sandbox=relaxed` and
adds a suitable test.

Co-Authored-By: Artemis Tosini <lix@artem.ist>
Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
Change-Id: I40190f44f3e1d61846df1c7b89677c20a1488522
This commit is contained in:
Théophane Hufschmitt 2024-05-06 15:10:18 +02:00 committed by Artemis Tosini
parent f782c8a60a
commit adea821d87
No known key found for this signature in database
4 changed files with 47 additions and 1 deletions

View file

@ -175,6 +175,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
void LocalDerivationGoal::tryLocalBuild() void LocalDerivationGoal::tryLocalBuild()
{ {
#if __APPLE__
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
unsigned int curBuilds = worker.getNrLocalBuilds(); unsigned int curBuilds = worker.getNrLocalBuilds();
if (curBuilds >= settings.maxBuildJobs) { if (curBuilds >= settings.maxBuildJobs) {
state = &DerivationGoal::tryToBuild; state = &DerivationGoal::tryToBuild;
@ -193,7 +197,6 @@ void LocalDerivationGoal::tryLocalBuild()
throw Error("derivation '%s' has '__noChroot' set, " throw Error("derivation '%s' has '__noChroot' set, "
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath)); "but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
#if __APPLE__ #if __APPLE__
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
if (additionalSandboxProfile != "") if (additionalSandboxProfile != "")
throw Error("derivation '%s' specifies a sandbox profile, " throw Error("derivation '%s' specifies a sandbox profile, "
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath)); "but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));

View file

@ -0,0 +1,19 @@
{ destFile, seed }:
with import ./config.nix;
mkDerivation {
name = "simple";
__sandboxProfile = ''
# Allow writing any file in the filesystem
(allow file*)
'';
inherit seed;
buildCommand = ''
(
set -x
touch ${destFile}
touch $out
)
'';
}

View file

@ -0,0 +1,23 @@
source common.sh
if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
DEST_FILE="${TEST_ROOT}/foo"
testSandboxProfile () (
set -e
sandboxMode="$1"
rm -f "${DEST_FILE}"
nix-build --no-out-link ./extra-sandbox-profile.nix \
--option sandbox "$sandboxMode" \
--argstr seed "$RANDOM" \
--argstr destFile "${DEST_FILE}"
ls -l "${DEST_FILE}"
)
testSandboxProfile "false"
expectStderr 2 testSandboxProfile "true"
testSandboxProfile "relaxed"

View file

@ -182,6 +182,7 @@ functional_tests_scripts = [
'debugger.sh', 'debugger.sh',
'plugins.sh', 'plugins.sh',
'test-libstoreconsumer.sh', 'test-libstoreconsumer.sh',
'extra-sandbox-profile.sh',
] ]
# TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make # TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make