Add some tests for drop-supplementary-groups

2023-05-15 17:41:51 -04:00 · 2023-05-15 17:41:51 -04:00 · d8ef0c9495
parent 746c6aae3f
commit d8ef0c9495
5 changed files with 92 additions and 2 deletions
--- a/tests/common.sh
+++ b/tests/common.sh
@ -4,7 +4,7 @@ if [[ -z "${COMMON_SH_SOURCED-}" ]]; then

 COMMON_SH_SOURCED=1

-source "$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")/common/vars-and-functions.sh"
+source "$(readlink -f "$(dirname "${BASH_SOURCE[0]-$0}")")/common/vars-and-functions.sh"
 if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
    startDaemon
 fi
--- a/tests/common/vars-and-functions.sh.in
+++ b/tests/common/vars-and-functions.sh.in
@ -4,7 +4,7 @@ if [[ -z "${COMMON_VARS_AND_FUNCTIONS_SH_SOURCED-}" ]]; then

 COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1

-export PS4='+(${BASH_SOURCE[0]}:$LINENO) '
+export PS4='+(${BASH_SOURCE[0]-$0}:$LINENO) '

 export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
 export NIX_STORE_DIR
--- a/tests/hermetic.nix
+++ b/tests/hermetic.nix
@ -0,0 +1,56 @@
+{ busybox, seed }:
+
+with import ./config.nix;
+
+let
+  contentAddressedByDefault = builtins.getEnv "NIX_TESTS_CA_BY_DEFAULT" == "1";
+  caArgs = if contentAddressedByDefault then {
+    __contentAddressed = true;
+    outputHashMode = "recursive";
+    outputHashAlgo = "sha256";
+  } else {};
+
+  mkDerivation = args:
+    derivation ({
+      inherit system;
+      builder = busybox;
+      args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
+    } // removeAttrs args ["builder" "meta" "passthru"]
+    // caArgs)
+    // { meta = args.meta or {}; passthru = args.passthru or {}; };
+
+  input1 = mkDerivation {
+    shell = busybox;
+    name = "hermetic-input-1";
+    buildCommand = "echo hi-input1 seed=${toString seed}; echo FOO > $out";
+  };
+
+  input2 = mkDerivation {
+    shell = busybox;
+    name = "hermetic-input-2";
+    buildCommand = "echo hi; echo BAR > $out";
+  };
+
+  input3 = mkDerivation {
+    shell = busybox;
+    name = "hermetic-input-3";
+    buildCommand = ''
+      echo hi-input3
+      read x < ${input2}
+      echo $x BAZ > $out
+    '';
+  };
+
+in
+
+  mkDerivation {
+    shell = busybox;
+    name = "hermetic";
+    passthru = { inherit input1 input2 input3; };
+    buildCommand =
+      ''
+        read x < ${input1}
+        read y < ${input3}
+        echo "$x $y" > $out
+      '';
+  }
--- a/tests/local.mk
+++ b/tests/local.mk
@ -93,6 +93,7 @@ nix_tests = \
  misc.sh \
  dump-db.sh \
  linux-sandbox.sh \
+  supplementary-groups.sh \
  build-dry.sh \
  structured-attrs.sh \
  shell.sh \
--- a/tests/supplementary-groups.sh
+++ b/tests/supplementary-groups.sh
@ -0,0 +1,33 @@
+source common.sh
+
+requireSandboxSupport
+[[ $busybox =~ busybox ]] || skipTest "no busybox"
+if ! command -p -v unshare; then skipTest "Need unshare"; fi
+needLocalStore "The test uses --store always so we would just be bypassing the daemon"
+
+unshare --mount --map-root-user bash <<EOF
+  source common.sh
+
+  setLocalStore () {
+    export NIX_REMOTE=\$TEST_ROOT/\$1
+    mkdir -p \$NIX_REMOTE
+  }
+
+  cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1)
+
+  # Fails with default setting
+  # TODO better error
+  setLocalStore store1
+  expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+
+  # Fails with `drop-supplementary-groups`
+  # TODO better error
+  setLocalStore store2
+  NIX_CONFIG='drop-supplementary-groups = true' \
+    expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+
+  # Works without `drop-supplementary-groups`
+  setLocalStore store3
+  NIX_CONFIG='drop-supplementary-groups = false' \
+    "\${cmd[@]}"
+EOF