Merge pull request #8696 from NixLayeredStore/nested-sandboxing
Test nested sandboxing, and make nicer error
This commit is contained in:
commit
bc499b2e4e
|
@ -594,6 +594,10 @@ void LocalDerivationGoal::startBuilder()
|
||||||
else
|
else
|
||||||
dirsInChroot[i.substr(0, p)] = {i.substr(p + 1), optional};
|
dirsInChroot[i.substr(0, p)] = {i.substr(p + 1), optional};
|
||||||
}
|
}
|
||||||
|
if (hasPrefix(worker.store.storeDir, tmpDirInSandbox))
|
||||||
|
{
|
||||||
|
throw Error("`sandbox-build-dir` must not contain the storeDir");
|
||||||
|
}
|
||||||
dirsInChroot[tmpDirInSandbox] = tmpDir;
|
dirsInChroot[tmpDirInSandbox] = tmpDir;
|
||||||
|
|
||||||
/* Add the closure of store paths to the chroot. */
|
/* Add the closure of store paths to the chroot. */
|
||||||
|
|
|
@ -138,7 +138,8 @@ nix_tests = \
|
||||||
path-from-hash-part.sh \
|
path-from-hash-part.sh \
|
||||||
test-libstoreconsumer.sh \
|
test-libstoreconsumer.sh \
|
||||||
toString-path.sh \
|
toString-path.sh \
|
||||||
read-only-store.sh
|
read-only-store.sh \
|
||||||
|
nested-sandboxing.sh
|
||||||
|
|
||||||
ifeq ($(HAVE_LIBCPUID), 1)
|
ifeq ($(HAVE_LIBCPUID), 1)
|
||||||
nix_tests += compute-levels.sh
|
nix_tests += compute-levels.sh
|
||||||
|
|
11
tests/nested-sandboxing.sh
Normal file
11
tests/nested-sandboxing.sh
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
source common.sh
|
||||||
|
# This test is run by `tests/nested-sandboxing/runner.nix` in an extra layer of sandboxing.
|
||||||
|
[[ -d /nix/store ]] || skipTest "running this test without Nix's deps being drawn from /nix/store is not yet supported"
|
||||||
|
|
||||||
|
requireSandboxSupport
|
||||||
|
|
||||||
|
source ./nested-sandboxing/command.sh
|
||||||
|
|
||||||
|
expectStderr 100 runNixBuild badStoreUrl 2 | grepQuiet '`sandbox-build-dir` must not contain'
|
||||||
|
|
||||||
|
runNixBuild goodStoreUrl 5
|
29
tests/nested-sandboxing/command.sh
Normal file
29
tests/nested-sandboxing/command.sh
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
export NIX_BIN_DIR=$(dirname $(type -p nix))
|
||||||
|
# TODO Get Nix and its closure more flexibly
|
||||||
|
export EXTRA_SANDBOX="/nix/store $(dirname $NIX_BIN_DIR)"
|
||||||
|
|
||||||
|
badStoreUrl () {
|
||||||
|
local altitude=$1
|
||||||
|
echo $TEST_ROOT/store-$altitude
|
||||||
|
}
|
||||||
|
|
||||||
|
goodStoreUrl () {
|
||||||
|
local altitude=$1
|
||||||
|
echo $("badStoreUrl" "$altitude")?store=/foo-$altitude
|
||||||
|
}
|
||||||
|
|
||||||
|
# The non-standard sandbox-build-dir helps ensure that we get the same behavior
|
||||||
|
# whether this test is being run in a derivation as part of the nix build or
|
||||||
|
# being manually run by a developer outside a derivation
|
||||||
|
runNixBuild () {
|
||||||
|
local storeFun=$1
|
||||||
|
local altitude=$2
|
||||||
|
nix-build \
|
||||||
|
--no-substitute --no-out-link \
|
||||||
|
--store "$("$storeFun" "$altitude")" \
|
||||||
|
--extra-sandbox-paths "$EXTRA_SANDBOX" \
|
||||||
|
./nested-sandboxing/runner.nix \
|
||||||
|
--arg altitude "$((altitude - 1))" \
|
||||||
|
--argstr storeFun "$storeFun" \
|
||||||
|
--sandbox-build-dir /build-non-standard
|
||||||
|
}
|
24
tests/nested-sandboxing/runner.nix
Normal file
24
tests/nested-sandboxing/runner.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ altitude, storeFun }:
|
||||||
|
|
||||||
|
with import ../config.nix;
|
||||||
|
|
||||||
|
mkDerivation {
|
||||||
|
name = "nested-sandboxing";
|
||||||
|
busybox = builtins.getEnv "busybox";
|
||||||
|
EXTRA_SANDBOX = builtins.getEnv "EXTRA_SANDBOX";
|
||||||
|
buildCommand = if altitude == 0 then ''
|
||||||
|
echo Deep enough! > $out
|
||||||
|
'' else ''
|
||||||
|
cp -r ${../common} ./common
|
||||||
|
cp ${../common.sh} ./common.sh
|
||||||
|
cp ${../config.nix} ./config.nix
|
||||||
|
cp -r ${./.} ./nested-sandboxing
|
||||||
|
|
||||||
|
export PATH=${builtins.getEnv "NIX_BIN_DIR"}:$PATH
|
||||||
|
|
||||||
|
source common.sh
|
||||||
|
source ./nested-sandboxing/command.sh
|
||||||
|
|
||||||
|
runNixBuild ${storeFun} ${toString altitude} >> $out
|
||||||
|
'';
|
||||||
|
}
|
Loading…
Reference in a new issue