Merge pull request #8696 from NixLayeredStore/nested-sandboxing
Test nested sandboxing, and make nicer error
This commit is contained in:
commit
bc499b2e4e
|
@ -594,6 +594,10 @@ void LocalDerivationGoal::startBuilder()
|
|||
else
|
||||
dirsInChroot[i.substr(0, p)] = {i.substr(p + 1), optional};
|
||||
}
|
||||
if (hasPrefix(worker.store.storeDir, tmpDirInSandbox))
|
||||
{
|
||||
throw Error("`sandbox-build-dir` must not contain the storeDir");
|
||||
}
|
||||
dirsInChroot[tmpDirInSandbox] = tmpDir;
|
||||
|
||||
/* Add the closure of store paths to the chroot. */
|
||||
|
|
|
@ -138,7 +138,8 @@ nix_tests = \
|
|||
path-from-hash-part.sh \
|
||||
test-libstoreconsumer.sh \
|
||||
toString-path.sh \
|
||||
read-only-store.sh
|
||||
read-only-store.sh \
|
||||
nested-sandboxing.sh
|
||||
|
||||
ifeq ($(HAVE_LIBCPUID), 1)
|
||||
nix_tests += compute-levels.sh
|
||||
|
|
11
tests/nested-sandboxing.sh
Normal file
11
tests/nested-sandboxing.sh
Normal file
|
@ -0,0 +1,11 @@
|
|||
source common.sh
|
||||
# This test is run by `tests/nested-sandboxing/runner.nix` in an extra layer of sandboxing.
|
||||
[[ -d /nix/store ]] || skipTest "running this test without Nix's deps being drawn from /nix/store is not yet supported"
|
||||
|
||||
requireSandboxSupport
|
||||
|
||||
source ./nested-sandboxing/command.sh
|
||||
|
||||
expectStderr 100 runNixBuild badStoreUrl 2 | grepQuiet '`sandbox-build-dir` must not contain'
|
||||
|
||||
runNixBuild goodStoreUrl 5
|
29
tests/nested-sandboxing/command.sh
Normal file
29
tests/nested-sandboxing/command.sh
Normal file
|
@ -0,0 +1,29 @@
|
|||
export NIX_BIN_DIR=$(dirname $(type -p nix))
|
||||
# TODO Get Nix and its closure more flexibly
|
||||
export EXTRA_SANDBOX="/nix/store $(dirname $NIX_BIN_DIR)"
|
||||
|
||||
badStoreUrl () {
|
||||
local altitude=$1
|
||||
echo $TEST_ROOT/store-$altitude
|
||||
}
|
||||
|
||||
goodStoreUrl () {
|
||||
local altitude=$1
|
||||
echo $("badStoreUrl" "$altitude")?store=/foo-$altitude
|
||||
}
|
||||
|
||||
# The non-standard sandbox-build-dir helps ensure that we get the same behavior
|
||||
# whether this test is being run in a derivation as part of the nix build or
|
||||
# being manually run by a developer outside a derivation
|
||||
runNixBuild () {
|
||||
local storeFun=$1
|
||||
local altitude=$2
|
||||
nix-build \
|
||||
--no-substitute --no-out-link \
|
||||
--store "$("$storeFun" "$altitude")" \
|
||||
--extra-sandbox-paths "$EXTRA_SANDBOX" \
|
||||
./nested-sandboxing/runner.nix \
|
||||
--arg altitude "$((altitude - 1))" \
|
||||
--argstr storeFun "$storeFun" \
|
||||
--sandbox-build-dir /build-non-standard
|
||||
}
|
24
tests/nested-sandboxing/runner.nix
Normal file
24
tests/nested-sandboxing/runner.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{ altitude, storeFun }:
|
||||
|
||||
with import ../config.nix;
|
||||
|
||||
mkDerivation {
|
||||
name = "nested-sandboxing";
|
||||
busybox = builtins.getEnv "busybox";
|
||||
EXTRA_SANDBOX = builtins.getEnv "EXTRA_SANDBOX";
|
||||
buildCommand = if altitude == 0 then ''
|
||||
echo Deep enough! > $out
|
||||
'' else ''
|
||||
cp -r ${../common} ./common
|
||||
cp ${../common.sh} ./common.sh
|
||||
cp ${../config.nix} ./config.nix
|
||||
cp -r ${./.} ./nested-sandboxing
|
||||
|
||||
export PATH=${builtins.getEnv "NIX_BIN_DIR"}:$PATH
|
||||
|
||||
source common.sh
|
||||
source ./nested-sandboxing/command.sh
|
||||
|
||||
runNixBuild ${storeFun} ${toString altitude} >> $out
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue