Merge pull request #3303 from LnL7/darwin-sandbox

build: fix sandboxing on darwin
2025-06-30 15:48:00 +02:00 · 2020-01-06 20:56:35 +01:00 · 2020-01-06 20:56:35 +01:00 · e2988f48a1
commit e2988f48a1
parent 0486e87791 66fccd5832
3 changed files with 22 additions and 15 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -3340,7 +3340,7 @@ void DerivationGoal::runChild()
            ;
        }
 #if __APPLE__
-        else if (getEnv("_NIX_TEST_NO_SANDBOX") == "") {
+        else {
            /* This has to appear before import statements. */
            std::string sandboxProfile = "(version 1)\n";

@ -3449,25 +3449,32 @@ void DerivationGoal::runChild()
            /* They don't like trailing slashes on subpath directives */
            if (globalTmpDir.back() == '/') globalTmpDir.pop_back();

-            builder = "/usr/bin/sandbox-exec";
-            args.push_back("sandbox-exec");
-            args.push_back("-f");
-            args.push_back(sandboxFile);
-            args.push_back("-D");
-            args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
-            args.push_back("-D");
-            args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
-            if (allowLocalNetworking) {
+            if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+                builder = "/usr/bin/sandbox-exec";
+                args.push_back("sandbox-exec");
+                args.push_back("-f");
+                args.push_back(sandboxFile);
                args.push_back("-D");
-                args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
+                args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
+                args.push_back("-D");
+                args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
+                if (allowLocalNetworking) {
+                    args.push_back("-D");
+                    args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
+                }
+                args.push_back(drv->builder);
+            } else {
+                printError("warning: running in sandboxing test mode, sandbox disabled");
+                builder = drv->builder.c_str();
+                args.push_back(std::string(baseNameOf(drv->builder)));
            }
-            args.push_back(drv->builder);
        }
-#endif
+#else
        else {
            builder = drv->builder.c_str();
            args.push_back(std::string(baseNameOf(drv->builder)));
        }
+#endif

        for (auto & i : drv->args)
            args.push_back(rewriteStrings(i, inputRewrites));