From 36b7e30c1184035e72a7f24dc4656099ac6e208e Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@tweag.io>
Date: Fri, 19 May 2023 22:47:40 +0200
Subject: [PATCH 1/3] Make mounting ssl cert file optional

---
 src/libstore/build/local-derivation-goal.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 36c89bee9..b50ff1f86 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -1777,7 +1777,7 @@ void LocalDerivationGoal::runChild()
                     if (pathExists(path))
                         ss.push_back(path);
 
-                dirsInChroot.emplace(settings.caFile, "/etc/ssl/certs/ca-certificates.crt");
+                dirsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
             }
 
             for (auto & i : ss) dirsInChroot.emplace(i, i);

From b14fea6fffaafa30faf67d89b6b6a01c14b3ddf3 Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@tweag.io>
Date: Fri, 19 May 2023 23:30:35 +0200
Subject: [PATCH 2/3] Shortcircuit for empty caFile

---
 src/libstore/build/local-derivation-goal.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index b50ff1f86..05d6685da 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -1777,7 +1777,8 @@ void LocalDerivationGoal::runChild()
                     if (pathExists(path))
                         ss.push_back(path);
 
-                dirsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
+                if (settings.caFile != "")
+                    dirsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
             }
 
             for (auto & i : ss) dirsInChroot.emplace(i, i);

From 5a98dd0b3911be970dbaae414b150c35241d2523 Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@tweag.io>
Date: Mon, 22 May 2023 02:32:09 +0200
Subject: [PATCH 3/3] Add tests for bind mount of SSL certs in sandbox

---
 tests/linux-sandbox-cert-test.nix | 29 +++++++++++++++++++++++++++++
 tests/linux-sandbox.sh            | 24 ++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 tests/linux-sandbox-cert-test.nix

diff --git a/tests/linux-sandbox-cert-test.nix b/tests/linux-sandbox-cert-test.nix
new file mode 100644
index 000000000..2b86dad2e
--- /dev/null
+++ b/tests/linux-sandbox-cert-test.nix
@@ -0,0 +1,29 @@
+{ fixed-output }:
+
+with import ./config.nix;
+
+mkDerivation ({
+  name = "ssl-export";
+  buildCommand = ''
+    # Add some indirection, otherwise grepping into the debug output finds the string.
+    report () { echo CERT_$1_IN_SANDBOX; }
+
+    if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+      content=$(</etc/ssl/certs/ca-certificates.crt)
+      if [ "$content" == CERT_CONTENT ]; then
+        report present
+      fi
+    else
+      report missing
+    fi
+
+    # Always fail, because we do not want to bother with fixed-output
+    # derivations being cached, and do not want to compute the right hash.
+    false;
+  '';
+} // (
+  if fixed-output == "fixed-output"
+  then { outputHash = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; }
+  else { }
+))
+
diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh
index 5a2cf7abd..45f0ce7a4 100644
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@@ -40,3 +40,27 @@ grepQuiet 'may not be deterministic' $TEST_ROOT/log
 
 # Test that sandboxed builds cannot write to /etc easily
 (! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)
+
+
+## Test mounting of SSL certificates into the sandbox
+testCert () {
+    (! nix-build linux-sandbox-cert-test.nix --argstr fixed-output "$2" --no-out-link --sandbox-paths /nix/store --option ssl-cert-file "$3" 2> $TEST_ROOT/log)
+    cat $TEST_ROOT/log
+    grepQuiet "CERT_${1}_IN_SANDBOX" $TEST_ROOT/log
+}
+
+nocert=$TEST_ROOT/no-cert-file.pem
+cert=$TEST_ROOT/some-cert-file.pem
+echo -n "CERT_CONTENT" > $cert
+
+# No cert in sandbox when not a fixed-output derivation
+testCert missing normal       "$cert"
+
+# No cert in sandbox when ssl-cert-file is empty
+testCert missing fixed-output ""
+
+# No cert in sandbox when ssl-cert-file is a nonexistent file
+testCert missing fixed-output "$nocert"
+
+# Cert in sandbox when ssl-cert-file is set to an existing file
+testCert present fixed-output "$cert"