Merge pull request #8240 from tweag/macos-sandbox

ci: Always run with sandbox, even on Darwin
2023-05-26 17:06:02 +02:00 · 2023-05-26 17:06:02 +02:00 · 940e9eb8dd
parent f41dd2c306 2c462486fe
commit 940e9eb8dd
6 changed files with 25 additions and 3 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -20,6 +20,9 @@ jobs:
      with:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v20
+      with:
+        # The sandbox would otherwise be disabled by default on Darwin
+        extra_nix_config: "sandbox = true"
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
    - uses: cachix/cachix-action@v12
      if: needs.check_secrets.outputs.cachix == 'true'
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -2620,7 +2620,7 @@ Strings EvalSettings::getDefaultNixPath()
 {
    Strings res;
    auto add = [&](const Path & p, const std::string & s = std::string()) {
-        if (pathExists(p)) {
+        if (pathAccessible(p)) {
            if (s.empty()) {
                res.push_back(p);
            } else {
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@ -183,7 +183,7 @@ bool Settings::isWSL1()
 Path Settings::getDefaultSSLCertFile()
 {
    for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
-        if (pathExists(fn)) return fn;
+        if (pathAccessible(fn)) return fn;
    return "";
 }

--- a/src/libutil/tests/tests.cc
+++ b/src/libutil/tests/tests.cc
@ -202,7 +202,7 @@ namespace nix {
    }

    TEST(pathExists, bogusPathDoesNotExist) {
-        ASSERT_FALSE(pathExists("/home/schnitzel/darmstadt/pommes"));
+        ASSERT_FALSE(pathExists("/schnitzel/darmstadt/pommes"));
    }

    /* ----------------------------------------------------------------------------
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -266,6 +266,17 @@ bool pathExists(const Path & path)
    return false;
 }

+bool pathAccessible(const Path & path)
+{
+    try {
+        return pathExists(path);
+    } catch (SysError & e) {
+        // swallow EPERM
+        if (e.errNo == EPERM) return false;
+        throw;
+    }
+}
+

 Path readLink(const Path & path)
 {
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@ -120,6 +120,14 @@ struct stat lstat(const Path & path);
 */
 bool pathExists(const Path & path);

+/**
+ * A version of pathExists that returns false on a permission error.
+ * Useful for inferring default paths across directories that might not
+ * be readable.
+ * @return true iff the given path can be accessed and exists
+ */
+bool pathAccessible(const Path & path);
+
 /**
 * Read the contents (target) of a symbolic link.  The result is not
 * in any way canonicalised.