Merge pull request #10456 from NixOS/fixpermdeniedbind

Fix adding symlink to the sandbox paths
2025-07-08 19:23:54 +02:00 · 2024-04-11 13:41:49 +02:00 · 2024-04-11 13:41:49 +02:00 · da1e977bf4
commit da1e977bf4
parent def00d7b52 ae4737294e
3 changed files with 58 additions and 7 deletions
--- a/tests/functional/linux-sandbox.sh
+++ b/tests/functional/linux-sandbox.sh
@ -73,3 +73,6 @@ testCert missing fixed-output "$nocert"

 # Cert in sandbox when ssl-cert-file is set to an existing file
 testCert present fixed-output "$cert"
+
+# Symlinks should be added in the sandbox directly and not followed
+nix-sandbox-build symlink-derivation.nix
--- a/tests/functional/symlink-derivation.nix
+++ b/tests/functional/symlink-derivation.nix
@ -0,0 +1,36 @@
+with import ./config.nix;
+
+let
+  foo_in_store = builtins.toFile "foo" "foo";
+  foo_symlink = mkDerivation {
+    name = "foo-symlink";
+    buildCommand = ''
+      ln -s ${foo_in_store} $out
+    '';
+  };
+  symlink_to_not_in_store = mkDerivation {
+    name = "symlink-to-not-in-store";
+    buildCommand = ''
+      ln -s ${builtins.toString ./.} $out
+    '';
+  };
+in
+mkDerivation {
+  name = "depends-on-symlink";
+  buildCommand = ''
+    (
+      set -x
+
+      # `foo_symlink` should be a symlink pointing to `foo_in_store`
+      [[ -L ${foo_symlink} ]]
+      [[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
+
+      # `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
+      # is not available in the sandbox
+      [[ -L ${symlink_to_not_in_store} ]]
+      [[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
+      (! ls ${symlink_to_not_in_store}/)
+    )
+    echo "Success!" > $out
+  '';
+}