Fix nix-build --check -K in sandbox w/o root

Temporarily add user-write permission to build directory so that it can be moved out of the sandbox to the store with a .check suffix. This is necessary because the build directory has already had its permissions set read-only, but write permission is required to update the directory's parent link to move it out of the sandbox. Updated the related --check "derivation may not be deterministic" messages to consistently use the real store paths. Added test for non-root sandbox nix-build --check -K to demonstrate issue and help prevent regressions.
2025-07-07 18:31:49 +02:00 · 2019-02-17 14:34:31 -05:00 · 2019-02-17 14:34:31 -05:00 · 8132d0a12e
commit 8132d0a12e
parent 3abf6d03c6
2 changed files with 33 additions and 4 deletions
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@ -28,3 +28,10 @@ nix cat-store $outPath/foobar | grep FOOBAR

 # Test --check without hash rewriting.
 nix-build dependencies.nix --no-out-link --check --sandbox-paths /nix/store
+
+# Test that sandboxed builds with --check and -K can move .check directory to store
+nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
+
+(! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
+if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi
+grep -q 'may not be deterministic' $TEST_ROOT/log