Merge "libstore: Fix sandbox=relaxed" into main

This commit is contained in:
Artemis Tosini 2024-05-12 03:51:19 +00:00 committed by Gerrit Code Review
commit 4b35e6a75e
4 changed files with 47 additions and 1 deletions

View file

@ -174,6 +174,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
void LocalDerivationGoal::tryLocalBuild() void LocalDerivationGoal::tryLocalBuild()
{ {
#if __APPLE__
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
unsigned int curBuilds = worker.getNrLocalBuilds(); unsigned int curBuilds = worker.getNrLocalBuilds();
if (curBuilds >= settings.maxBuildJobs) { if (curBuilds >= settings.maxBuildJobs) {
state = &DerivationGoal::tryToBuild; state = &DerivationGoal::tryToBuild;
@ -192,7 +196,6 @@ void LocalDerivationGoal::tryLocalBuild()
throw Error("derivation '%s' has '__noChroot' set, " throw Error("derivation '%s' has '__noChroot' set, "
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath)); "but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
#if __APPLE__ #if __APPLE__
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
if (additionalSandboxProfile != "") if (additionalSandboxProfile != "")
throw Error("derivation '%s' specifies a sandbox profile, " throw Error("derivation '%s' specifies a sandbox profile, "
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath)); "but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));

View file

@ -0,0 +1,19 @@
{ destFile, seed }:
with import ./config.nix;
mkDerivation {
name = "simple";
__sandboxProfile = ''
# Allow writing any file in the filesystem
(allow file*)
'';
inherit seed;
buildCommand = ''
(
set -x
touch ${destFile}
touch $out
)
'';
}

View file

@ -0,0 +1,23 @@
source common.sh
if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
DEST_FILE="${TEST_ROOT}/foo"
testSandboxProfile () (
set -e
sandboxMode="$1"
rm -f "${DEST_FILE}"
nix-build --no-out-link ./extra-sandbox-profile.nix \
--option sandbox "$sandboxMode" \
--argstr seed "$RANDOM" \
--argstr destFile "${DEST_FILE}"
ls -l "${DEST_FILE}"
)
testSandboxProfile "false"
expectStderr 2 testSandboxProfile "true"
testSandboxProfile "relaxed"

View file

@ -182,6 +182,7 @@ functional_tests_scripts = [
'debugger.sh', 'debugger.sh',
'plugins.sh', 'plugins.sh',
'test-libstoreconsumer.sh', 'test-libstoreconsumer.sh',
'extra-sandbox-profile.sh',
] ]
# TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make # TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make