libstore: check additionalSandboxProfile

Make sure that `extraSandboxProfile` is set before we check whether it's empty or not (in the `sandbox=true` case). Also adds a test case for this. Co-Authored-By: Artemis Tosini <lix@artem.ist> Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
NixOS · May 6, 2024 · 9bd1191 · 9bd1191
1 parent 20445df
commit 9bd1191
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 4 deletions.
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
@@ -177,6 +177,10 @@ void LocalDerivationGoal::killSandbox(bool getStats)
 
 void LocalDerivationGoal::tryLocalBuild()
 {
+#if __APPLE__
+    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
+#endif
+
     unsigned int curBuilds = worker.getNrLocalBuilds();
     if (curBuilds >= settings.maxBuildJobs) {
         state = &DerivationGoal::tryToBuild;
@@ -495,10 +499,6 @@ void LocalDerivationGoal::startBuilder()
             settings.thisSystem,
             concatStringsSep<StringSet>(", ", worker.store.systemFeatures));
 
-#if __APPLE__
-    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
-#endif
-
     /* Create a temporary directory where the build will take
        place. */
     tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);

diff --git a/tests/functional/extra-sandbox-profile.nix b/tests/functional/extra-sandbox-profile.nix
@@ -0,0 +1,19 @@
+{ destFile, seed }:
+
+with import ./config.nix;
+
+mkDerivation {
+  name = "simple";
+  __sandboxProfile = ''
+    # Allow writing any file in the filesystem
+    (allow file*)
+  '';
+  inherit seed;
+  buildCommand = ''
+    (
+      set -x
+      touch ${destFile}
+      touch $out
+    )
+  '';
+}
diff --git a/tests/functional/extra-sandbox-profile.sh b/tests/functional/extra-sandbox-profile.sh
@@ -0,0 +1,23 @@
+source common.sh
+
+if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
+
+DEST_FILE="${TEST_ROOT}/foo"
+
+testSandboxProfile () (
+    set -e
+
+    sandboxMode="$1"
+
+    rm -f "${DEST_FILE}"
+    nix-build --no-out-link ./extra-sandbox-profile.nix \
+        --option sandbox "$sandboxMode" \
+        --argstr seed "$RANDOM" \
+        --argstr destFile "${DEST_FILE}"
+
+    ls -l "${DEST_FILE}"
+)
+
+testSandboxProfile "false"
+expectStderr 2 testSandboxProfile "true"
+testSandboxProfile "relaxed"
diff --git a/tests/functional/local.mk b/tests/functional/local.mk
@@ -130,6 +130,7 @@ nix_tests = \
   nested-sandboxing.sh \
   impure-env.sh \
   debugger.sh \
+  extra-sandbox-profile.sh \
   help.sh
 
 ifeq ($(HAVE_LIBCPUID), 1)