forked from lix-project/lix
build: fix sandboxing on darwin
Starting ba87b08f85
getEnv now returns an
std::optional which means these getEnv() != "" conditions no longer happen
if the variables are not defined.
This commit is contained in:
parent
0de33cc81b
commit
66fccd5832
3 changed files with 22 additions and 15 deletions
|
@ -3338,7 +3338,7 @@ void DerivationGoal::runChild()
|
||||||
;
|
;
|
||||||
}
|
}
|
||||||
#if __APPLE__
|
#if __APPLE__
|
||||||
else if (getEnv("_NIX_TEST_NO_SANDBOX") == "") {
|
else {
|
||||||
/* This has to appear before import statements. */
|
/* This has to appear before import statements. */
|
||||||
std::string sandboxProfile = "(version 1)\n";
|
std::string sandboxProfile = "(version 1)\n";
|
||||||
|
|
||||||
|
@ -3447,25 +3447,32 @@ void DerivationGoal::runChild()
|
||||||
/* They don't like trailing slashes on subpath directives */
|
/* They don't like trailing slashes on subpath directives */
|
||||||
if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
|
if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
|
||||||
|
|
||||||
builder = "/usr/bin/sandbox-exec";
|
if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
|
||||||
args.push_back("sandbox-exec");
|
builder = "/usr/bin/sandbox-exec";
|
||||||
args.push_back("-f");
|
args.push_back("sandbox-exec");
|
||||||
args.push_back(sandboxFile);
|
args.push_back("-f");
|
||||||
args.push_back("-D");
|
args.push_back(sandboxFile);
|
||||||
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
|
|
||||||
args.push_back("-D");
|
|
||||||
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
|
|
||||||
if (allowLocalNetworking) {
|
|
||||||
args.push_back("-D");
|
args.push_back("-D");
|
||||||
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
|
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
|
||||||
|
args.push_back("-D");
|
||||||
|
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
|
||||||
|
if (allowLocalNetworking) {
|
||||||
|
args.push_back("-D");
|
||||||
|
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
|
||||||
|
}
|
||||||
|
args.push_back(drv->builder);
|
||||||
|
} else {
|
||||||
|
printError("warning: running in sandboxing test mode, sandbox disabled");
|
||||||
|
builder = drv->builder.c_str();
|
||||||
|
args.push_back(std::string(baseNameOf(drv->builder)));
|
||||||
}
|
}
|
||||||
args.push_back(drv->builder);
|
|
||||||
}
|
}
|
||||||
#endif
|
#else
|
||||||
else {
|
else {
|
||||||
builder = drv->builder.c_str();
|
builder = drv->builder.c_str();
|
||||||
args.push_back(std::string(baseNameOf(drv->builder)));
|
args.push_back(std::string(baseNameOf(drv->builder)));
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
for (auto & i : drv->args)
|
for (auto & i : drv->args)
|
||||||
args.push_back(rewriteStrings(i, inputRewrites));
|
args.push_back(rewriteStrings(i, inputRewrites));
|
||||||
|
|
|
@ -443,7 +443,7 @@ void LocalStore::findRuntimeRoots(Roots & roots, bool censor)
|
||||||
// lsof is really slow on OS X. This actually causes the gc-concurrent.sh test to fail.
|
// lsof is really slow on OS X. This actually causes the gc-concurrent.sh test to fail.
|
||||||
// See: https://github.com/NixOS/nix/issues/3011
|
// See: https://github.com/NixOS/nix/issues/3011
|
||||||
// Because of this we disable lsof when running the tests.
|
// Because of this we disable lsof when running the tests.
|
||||||
if (getEnv("_NIX_TEST_NO_LSOF") == "") {
|
if (getEnv("_NIX_TEST_NO_LSOF") != "1") {
|
||||||
try {
|
try {
|
||||||
std::regex lsofRegex(R"(^n(/.*)$)");
|
std::regex lsofRegex(R"(^n(/.*)$)");
|
||||||
auto lsofLines =
|
auto lsofLines =
|
||||||
|
|
|
@ -53,7 +53,7 @@ static int _main(int argc, char * * argv)
|
||||||
{
|
{
|
||||||
HashType ht = htSHA256;
|
HashType ht = htSHA256;
|
||||||
std::vector<string> args;
|
std::vector<string> args;
|
||||||
bool printPath = getEnv("PRINT_PATH") != "";
|
bool printPath = getEnv("PRINT_PATH") == "1";
|
||||||
bool fromExpr = false;
|
bool fromExpr = false;
|
||||||
string attrPath;
|
string attrPath;
|
||||||
bool unpack = false;
|
bool unpack = false;
|
||||||
|
|
Loading…
Reference in a new issue