Add a new option "supplementary-groups" that allows specifying
additional groups to be mapped into the build sandbox and assigned as
supplementary groups for the build user.
This makes it possible to, for example, use the "kvm" group to provide
access to /dev/kvm even when auto-allocate-uids is enabled—something
that was not previously possible. It also enables use of supplementary
groups to grant sandboxed builds read-only access to secrets or other
shared resources.
Closes: https://github.com/NixOS/nix/issues/9276
Signed-off-by: Samuli Thomasson <samuli.thomasson@pm.me>
Clang doesn't like the double indent that is needed for the `if...else`
that is CPP'd away. Adding braces is fine in the `if...else...` case,
and fine as a naked block in the CPP'd away case, and properly-indented
both ways.
This is the utility changes from #9968, which were easier to rebase
first.
I (@Ericson2314) didn't write this code; I just rebased it.
Co-Authored-By: Artemis Tosini <me@artem.ist>
Co-Authored-By: Audrey Dutcher <audrey@rhelmot.io>
