Add some tests for drop-supplementary-groups
This commit is contained in:
parent
746c6aae3f
commit
d8ef0c9495
|
@ -4,7 +4,7 @@ if [[ -z "${COMMON_SH_SOURCED-}" ]]; then
|
||||||
|
|
||||||
COMMON_SH_SOURCED=1
|
COMMON_SH_SOURCED=1
|
||||||
|
|
||||||
source "$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")/common/vars-and-functions.sh"
|
source "$(readlink -f "$(dirname "${BASH_SOURCE[0]-$0}")")/common/vars-and-functions.sh"
|
||||||
if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
|
if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
|
||||||
startDaemon
|
startDaemon
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -4,7 +4,7 @@ if [[ -z "${COMMON_VARS_AND_FUNCTIONS_SH_SOURCED-}" ]]; then
|
||||||
|
|
||||||
COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1
|
COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1
|
||||||
|
|
||||||
export PS4='+(${BASH_SOURCE[0]}:$LINENO) '
|
export PS4='+(${BASH_SOURCE[0]-$0}:$LINENO) '
|
||||||
|
|
||||||
export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
|
export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
|
||||||
export NIX_STORE_DIR
|
export NIX_STORE_DIR
|
||||||
|
|
56
tests/hermetic.nix
Normal file
56
tests/hermetic.nix
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{ busybox, seed }:
|
||||||
|
|
||||||
|
with import ./config.nix;
|
||||||
|
|
||||||
|
let
|
||||||
|
contentAddressedByDefault = builtins.getEnv "NIX_TESTS_CA_BY_DEFAULT" == "1";
|
||||||
|
caArgs = if contentAddressedByDefault then {
|
||||||
|
__contentAddressed = true;
|
||||||
|
outputHashMode = "recursive";
|
||||||
|
outputHashAlgo = "sha256";
|
||||||
|
} else {};
|
||||||
|
|
||||||
|
mkDerivation = args:
|
||||||
|
derivation ({
|
||||||
|
inherit system;
|
||||||
|
builder = busybox;
|
||||||
|
args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
|
||||||
|
} // removeAttrs args ["builder" "meta" "passthru"]
|
||||||
|
// caArgs)
|
||||||
|
// { meta = args.meta or {}; passthru = args.passthru or {}; };
|
||||||
|
|
||||||
|
input1 = mkDerivation {
|
||||||
|
shell = busybox;
|
||||||
|
name = "hermetic-input-1";
|
||||||
|
buildCommand = "echo hi-input1 seed=${toString seed}; echo FOO > $out";
|
||||||
|
};
|
||||||
|
|
||||||
|
input2 = mkDerivation {
|
||||||
|
shell = busybox;
|
||||||
|
name = "hermetic-input-2";
|
||||||
|
buildCommand = "echo hi; echo BAR > $out";
|
||||||
|
};
|
||||||
|
|
||||||
|
input3 = mkDerivation {
|
||||||
|
shell = busybox;
|
||||||
|
name = "hermetic-input-3";
|
||||||
|
buildCommand = ''
|
||||||
|
echo hi-input3
|
||||||
|
read x < ${input2}
|
||||||
|
echo $x BAZ > $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
mkDerivation {
|
||||||
|
shell = busybox;
|
||||||
|
name = "hermetic";
|
||||||
|
passthru = { inherit input1 input2 input3; };
|
||||||
|
buildCommand =
|
||||||
|
''
|
||||||
|
read x < ${input1}
|
||||||
|
read y < ${input3}
|
||||||
|
echo "$x $y" > $out
|
||||||
|
'';
|
||||||
|
}
|
|
@ -93,6 +93,7 @@ nix_tests = \
|
||||||
misc.sh \
|
misc.sh \
|
||||||
dump-db.sh \
|
dump-db.sh \
|
||||||
linux-sandbox.sh \
|
linux-sandbox.sh \
|
||||||
|
supplementary-groups.sh \
|
||||||
build-dry.sh \
|
build-dry.sh \
|
||||||
structured-attrs.sh \
|
structured-attrs.sh \
|
||||||
shell.sh \
|
shell.sh \
|
||||||
|
|
33
tests/supplementary-groups.sh
Normal file
33
tests/supplementary-groups.sh
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
source common.sh
|
||||||
|
|
||||||
|
requireSandboxSupport
|
||||||
|
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
||||||
|
if ! command -p -v unshare; then skipTest "Need unshare"; fi
|
||||||
|
needLocalStore "The test uses --store always so we would just be bypassing the daemon"
|
||||||
|
|
||||||
|
unshare --mount --map-root-user bash <<EOF
|
||||||
|
source common.sh
|
||||||
|
|
||||||
|
setLocalStore () {
|
||||||
|
export NIX_REMOTE=\$TEST_ROOT/\$1
|
||||||
|
mkdir -p \$NIX_REMOTE
|
||||||
|
}
|
||||||
|
|
||||||
|
cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1)
|
||||||
|
|
||||||
|
# Fails with default setting
|
||||||
|
# TODO better error
|
||||||
|
setLocalStore store1
|
||||||
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||||
|
|
||||||
|
# Fails with `drop-supplementary-groups`
|
||||||
|
# TODO better error
|
||||||
|
setLocalStore store2
|
||||||
|
NIX_CONFIG='drop-supplementary-groups = true' \
|
||||||
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||||
|
|
||||||
|
# Works without `drop-supplementary-groups`
|
||||||
|
setLocalStore store3
|
||||||
|
NIX_CONFIG='drop-supplementary-groups = false' \
|
||||||
|
"\${cmd[@]}"
|
||||||
|
EOF
|
Loading…
Reference in a new issue