Merge pull request #3303 from LnL7/darwin-sandbox
build: fix sandboxing on darwin
This commit is contained in:
commit
e2988f48a1
3 changed files with 22 additions and 15 deletions
|
@ -3340,7 +3340,7 @@ void DerivationGoal::runChild()
|
|||
;
|
||||
}
|
||||
#if __APPLE__
|
||||
else if (getEnv("_NIX_TEST_NO_SANDBOX") == "") {
|
||||
else {
|
||||
/* This has to appear before import statements. */
|
||||
std::string sandboxProfile = "(version 1)\n";
|
||||
|
||||
|
@ -3449,25 +3449,32 @@ void DerivationGoal::runChild()
|
|||
/* They don't like trailing slashes on subpath directives */
|
||||
if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
|
||||
|
||||
builder = "/usr/bin/sandbox-exec";
|
||||
args.push_back("sandbox-exec");
|
||||
args.push_back("-f");
|
||||
args.push_back(sandboxFile);
|
||||
args.push_back("-D");
|
||||
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
|
||||
args.push_back("-D");
|
||||
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
|
||||
if (allowLocalNetworking) {
|
||||
if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
|
||||
builder = "/usr/bin/sandbox-exec";
|
||||
args.push_back("sandbox-exec");
|
||||
args.push_back("-f");
|
||||
args.push_back(sandboxFile);
|
||||
args.push_back("-D");
|
||||
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
|
||||
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
|
||||
args.push_back("-D");
|
||||
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
|
||||
if (allowLocalNetworking) {
|
||||
args.push_back("-D");
|
||||
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
|
||||
}
|
||||
args.push_back(drv->builder);
|
||||
} else {
|
||||
printError("warning: running in sandboxing test mode, sandbox disabled");
|
||||
builder = drv->builder.c_str();
|
||||
args.push_back(std::string(baseNameOf(drv->builder)));
|
||||
}
|
||||
args.push_back(drv->builder);
|
||||
}
|
||||
#endif
|
||||
#else
|
||||
else {
|
||||
builder = drv->builder.c_str();
|
||||
args.push_back(std::string(baseNameOf(drv->builder)));
|
||||
}
|
||||
#endif
|
||||
|
||||
for (auto & i : drv->args)
|
||||
args.push_back(rewriteStrings(i, inputRewrites));
|
||||
|
|
|
@ -443,7 +443,7 @@ void LocalStore::findRuntimeRoots(Roots & roots, bool censor)
|
|||
// lsof is really slow on OS X. This actually causes the gc-concurrent.sh test to fail.
|
||||
// See: https://github.com/NixOS/nix/issues/3011
|
||||
// Because of this we disable lsof when running the tests.
|
||||
if (getEnv("_NIX_TEST_NO_LSOF") == "") {
|
||||
if (getEnv("_NIX_TEST_NO_LSOF") != "1") {
|
||||
try {
|
||||
std::regex lsofRegex(R"(^n(/.*)$)");
|
||||
auto lsofLines =
|
||||
|
|
|
@ -53,7 +53,7 @@ static int _main(int argc, char * * argv)
|
|||
{
|
||||
HashType ht = htSHA256;
|
||||
std::vector<string> args;
|
||||
bool printPath = getEnv("PRINT_PATH") != "";
|
||||
bool printPath = getEnv("PRINT_PATH") == "1";
|
||||
bool fromExpr = false;
|
||||
string attrPath;
|
||||
bool unpack = false;
|
||||
|
|
Loading…
Reference in a new issue