Merge pull request #10456 from NixOS/fixpermdeniedbind
Fix adding symlink to the sandbox paths
(cherry-picked from commit da1e977bf48cff2a635034c85e7c13878e38efc2)
Change-Id: I221c85a38180800ec6552d2e86a88df48398fad8
This commit is contained in:
parent
aeee22e5a1
commit
07b627cc6d
|
@ -389,21 +389,33 @@ void LocalDerivationGoal::cleanupPostOutputsRegisteredModeNonCheck()
|
||||||
#if __linux__
|
#if __linux__
|
||||||
static void doBind(const Path & source, const Path & target, bool optional = false) {
|
static void doBind(const Path & source, const Path & target, bool optional = false) {
|
||||||
debug("bind mounting '%1%' to '%2%'", source, target);
|
debug("bind mounting '%1%' to '%2%'", source, target);
|
||||||
struct stat st;
|
|
||||||
if (stat(source.c_str(), &st) == -1) {
|
auto bindMount = [&]() {
|
||||||
if (optional && errno == ENOENT)
|
if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REC, 0) == -1)
|
||||||
|
throw SysError("bind mount from '%1%' to '%2%' failed", source, target);
|
||||||
|
};
|
||||||
|
|
||||||
|
auto maybeSt = maybeLstat(source);
|
||||||
|
if (!maybeSt) {
|
||||||
|
if (optional)
|
||||||
return;
|
return;
|
||||||
else
|
else
|
||||||
throw SysError("getting attributes of path '%1%'", source);
|
throw SysError("getting attributes of path '%1%'", source);
|
||||||
}
|
}
|
||||||
if (S_ISDIR(st.st_mode))
|
auto st = *maybeSt;
|
||||||
|
|
||||||
|
if (S_ISDIR(st.st_mode)) {
|
||||||
createDirs(target);
|
createDirs(target);
|
||||||
else {
|
bindMount();
|
||||||
|
} else if (S_ISLNK(st.st_mode)) {
|
||||||
|
// Symlinks can (apparently) not be bind-mounted, so just copy it
|
||||||
|
createDirs(dirOf(target));
|
||||||
|
copyFile(source, target, /* andDelete */ false);
|
||||||
|
} else {
|
||||||
createDirs(dirOf(target));
|
createDirs(dirOf(target));
|
||||||
writeFile(target, "");
|
writeFile(target, "");
|
||||||
|
bindMount();
|
||||||
}
|
}
|
||||||
if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REC, 0) == -1)
|
|
||||||
throw SysError("bind mount from '%1%' to '%2%' failed", source, target);
|
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
|
@ -73,3 +73,6 @@ testCert missing fixed-output "$nocert"
|
||||||
|
|
||||||
# Cert in sandbox when ssl-cert-file is set to an existing file
|
# Cert in sandbox when ssl-cert-file is set to an existing file
|
||||||
testCert present fixed-output "$cert"
|
testCert present fixed-output "$cert"
|
||||||
|
|
||||||
|
# Symlinks should be added in the sandbox directly and not followed
|
||||||
|
nix-sandbox-build symlink-derivation.nix
|
||||||
|
|
36
tests/functional/symlink-derivation.nix
Normal file
36
tests/functional/symlink-derivation.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
with import ./config.nix;
|
||||||
|
|
||||||
|
let
|
||||||
|
foo_in_store = builtins.toFile "foo" "foo";
|
||||||
|
foo_symlink = mkDerivation {
|
||||||
|
name = "foo-symlink";
|
||||||
|
buildCommand = ''
|
||||||
|
ln -s ${foo_in_store} $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
symlink_to_not_in_store = mkDerivation {
|
||||||
|
name = "symlink-to-not-in-store";
|
||||||
|
buildCommand = ''
|
||||||
|
ln -s ${builtins.toString ./.} $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
mkDerivation {
|
||||||
|
name = "depends-on-symlink";
|
||||||
|
buildCommand = ''
|
||||||
|
(
|
||||||
|
set -x
|
||||||
|
|
||||||
|
# `foo_symlink` should be a symlink pointing to `foo_in_store`
|
||||||
|
[[ -L ${foo_symlink} ]]
|
||||||
|
[[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
|
||||||
|
|
||||||
|
# `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
|
||||||
|
# is not available in the sandbox
|
||||||
|
[[ -L ${symlink_to_not_in_store} ]]
|
||||||
|
[[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
|
||||||
|
(! ls ${symlink_to_not_in_store}/)
|
||||||
|
)
|
||||||
|
echo "Success!" > $out
|
||||||
|
'';
|
||||||
|
}
|
Loading…
Reference in a new issue