libstore: Fix sandbox=relaxed
The fix for the Darwin vulnerability inecdbc3b207
also broke setting `__sandboxProfile` when `sandbox=relaxed` or `sandbox=false`. This cppnix change fixes `sandbox=relaxed` and adds a suitable test. Co-Authored-By: Artemis Tosini <lix@artem.ist> Co-Authored-By: Eelco Dolstra <edolstra@gmail.com> Change-Id:I40190f44f3e1d61846df1c7b89677c20a1488522
This commit is contained in:
parent
f782c8a60a
commit
adea821d87
|
@ -175,6 +175,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
|
||||||
|
|
||||||
void LocalDerivationGoal::tryLocalBuild()
|
void LocalDerivationGoal::tryLocalBuild()
|
||||||
{
|
{
|
||||||
|
#if __APPLE__
|
||||||
|
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||||
|
#endif
|
||||||
|
|
||||||
unsigned int curBuilds = worker.getNrLocalBuilds();
|
unsigned int curBuilds = worker.getNrLocalBuilds();
|
||||||
if (curBuilds >= settings.maxBuildJobs) {
|
if (curBuilds >= settings.maxBuildJobs) {
|
||||||
state = &DerivationGoal::tryToBuild;
|
state = &DerivationGoal::tryToBuild;
|
||||||
|
@ -193,7 +197,6 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||||
throw Error("derivation '%s' has '__noChroot' set, "
|
throw Error("derivation '%s' has '__noChroot' set, "
|
||||||
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
|
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
|
||||||
#if __APPLE__
|
#if __APPLE__
|
||||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
|
||||||
if (additionalSandboxProfile != "")
|
if (additionalSandboxProfile != "")
|
||||||
throw Error("derivation '%s' specifies a sandbox profile, "
|
throw Error("derivation '%s' specifies a sandbox profile, "
|
||||||
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));
|
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));
|
||||||
|
|
19
tests/functional/extra-sandbox-profile.nix
Normal file
19
tests/functional/extra-sandbox-profile.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ destFile, seed }:
|
||||||
|
|
||||||
|
with import ./config.nix;
|
||||||
|
|
||||||
|
mkDerivation {
|
||||||
|
name = "simple";
|
||||||
|
__sandboxProfile = ''
|
||||||
|
# Allow writing any file in the filesystem
|
||||||
|
(allow file*)
|
||||||
|
'';
|
||||||
|
inherit seed;
|
||||||
|
buildCommand = ''
|
||||||
|
(
|
||||||
|
set -x
|
||||||
|
touch ${destFile}
|
||||||
|
touch $out
|
||||||
|
)
|
||||||
|
'';
|
||||||
|
}
|
23
tests/functional/extra-sandbox-profile.sh
Normal file
23
tests/functional/extra-sandbox-profile.sh
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
source common.sh
|
||||||
|
|
||||||
|
if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
|
||||||
|
|
||||||
|
DEST_FILE="${TEST_ROOT}/foo"
|
||||||
|
|
||||||
|
testSandboxProfile () (
|
||||||
|
set -e
|
||||||
|
|
||||||
|
sandboxMode="$1"
|
||||||
|
|
||||||
|
rm -f "${DEST_FILE}"
|
||||||
|
nix-build --no-out-link ./extra-sandbox-profile.nix \
|
||||||
|
--option sandbox "$sandboxMode" \
|
||||||
|
--argstr seed "$RANDOM" \
|
||||||
|
--argstr destFile "${DEST_FILE}"
|
||||||
|
|
||||||
|
ls -l "${DEST_FILE}"
|
||||||
|
)
|
||||||
|
|
||||||
|
testSandboxProfile "false"
|
||||||
|
expectStderr 2 testSandboxProfile "true"
|
||||||
|
testSandboxProfile "relaxed"
|
|
@ -182,6 +182,7 @@ functional_tests_scripts = [
|
||||||
'debugger.sh',
|
'debugger.sh',
|
||||||
'plugins.sh',
|
'plugins.sh',
|
||||||
'test-libstoreconsumer.sh',
|
'test-libstoreconsumer.sh',
|
||||||
|
'extra-sandbox-profile.sh',
|
||||||
]
|
]
|
||||||
|
|
||||||
# TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make
|
# TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make
|
||||||
|
|
Loading…
Reference in a new issue