1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-08 19:23:54 +02:00

Merge pull request #10456 from NixOS/fixpermdeniedbind

Fix adding symlink to the sandbox paths
This commit is contained in:
Théophane Hufschmitt 2024-04-11 13:41:49 +02:00 committed by GitHub
commit da1e977bf4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 58 additions and 7 deletions

View file

@ -73,3 +73,6 @@ testCert missing fixed-output "$nocert"
# Cert in sandbox when ssl-cert-file is set to an existing file
testCert present fixed-output "$cert"
# Symlinks should be added in the sandbox directly and not followed
nix-sandbox-build symlink-derivation.nix

View file

@ -0,0 +1,36 @@
with import ./config.nix;
let
foo_in_store = builtins.toFile "foo" "foo";
foo_symlink = mkDerivation {
name = "foo-symlink";
buildCommand = ''
ln -s ${foo_in_store} $out
'';
};
symlink_to_not_in_store = mkDerivation {
name = "symlink-to-not-in-store";
buildCommand = ''
ln -s ${builtins.toString ./.} $out
'';
};
in
mkDerivation {
name = "depends-on-symlink";
buildCommand = ''
(
set -x
# `foo_symlink` should be a symlink pointing to `foo_in_store`
[[ -L ${foo_symlink} ]]
[[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
# `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
# is not available in the sandbox
[[ -L ${symlink_to_not_in_store} ]]
[[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
(! ls ${symlink_to_not_in_store}/)
)
echo "Success!" > $out
'';
}