sandboxing breaks if $HOME/.ccache is a symlink to a different filesystem

[marc-legendre]

With opam 2.1.2:

$ opam init -n
No configuration file found, using built-in defaults.
Checking for available remotes: rsync and local, git, mercurial, darcs. Perfect!
[ERROR] Sandboxing is not working on your platform ubuntu:
        "~/.opam/opam-init/hooks/sandbox.sh build sh -c echo SUCCESS >$TMPDIR/opam-sandbox-check-out && cat $TMPDIR/opam-sandbox-check-out; rm -f $TMPDIR/opam-sandbox-check-out" exited with code 1 "bwrap: Can't
        bind mount /oldroot/hdd/ccache on /newroot/home/myusername/.ccache: No such file or directory"
Do you want to disable it?  Note that this will result in less secure package builds, so please ensure that you have some other isolation mechanisms in place (such as running within a container or virtual
machine). [y/N] 

If I keep going without disabling sandboxing, init fails when creating the initial switch:

<><> Fetching repository information ><><><><><><><><><><><><><><><><><><><><><>
[default] Initialised

<><> Creating initial switch 'default' (invariant ["ocaml" {>= "4.05.0"}] - initially with ocaml-system) 

<><> Installing new switch packages <><><><><><><><><><><><><><><><><><><><><><>
Switch invariant: ["ocaml" {>= "4.05.0"}]

<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
∗ installed base-bigarray.base
∗ installed base-threads.base
∗ installed base-unix.base
[ERROR] The compilation of ocaml-system.4.08.1 failed at "ocaml gen_ocaml_config.ml".

#=== ERROR while compiling ocaml-system.4.08.1 ================================#
# context     2.1.2 | linux/x86_64 |  | https://opam.ocaml.org#f1eef1a5
# path        ~/.opam/default/.opam-switch/build/ocaml-system.4.08.1
# command     ~/.opam/opam-init/hooks/sandbox.sh build ocaml gen_ocaml_config.ml
# exit-code   1
# env-file    /tmp/opam-myusername-16897/ocaml-system-16897-32f1da.env
# output-file /tmp/opam-myusername-16897/ocaml-system-16897-32f1da.out
### output ###
# bwrap: Can't bind mount /oldroot/hdd/ccache on /newroot/home/myusername/.ccache: No such file or directory



<><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
┌─ The following actions failed
│ λ build ocaml-system 4.08.1
└─ 
┌─ The following changes have been performed (the rest was aborted)
│ ∗ install base-bigarray base
│ ∗ install base-threads  base
│ ∗ install base-unix     base
└─ 
# Run eval $(opam env --switch=default) to update the current shell environment
Switch initialisation failed: clean up? ('n' will leave the switch partially installed) [Y/n] y
[NOTE] Opam has been initialised, but the initial switch creation failed.
       Use 'opam switch create <compiler>' to get started.

And for what it's worth, the following patch seems to fix the issue:

$ diff -u .opam/opam-init/hooks/sandbox.sh.bak .opam/opam-init/hooks/sandbox.sh
--- .opam/opam-init/hooks/sandbox.sh.bak	2022-07-23 23:28:10.984254129 +0200
+++ .opam/opam-init/hooks/sandbox.sh	2022-07-23 23:28:31.544114030 +0200
@@ -73,6 +73,7 @@
       done
       CCACHE_DIR=${CCACHE_DIR-$HOME/.ccache}
       ccache_dir=${ccache_dir-$CCACHE_DIR}
+      ccache_dir=$(readlink -m $ccache_dir)
       add_mounts rw "$ccache_dir"
   fi
 }

---

Here is the output of opam config report:

# opam config report
# opam-version         2.1.2 
# self-upgrade         no
# system               arch=x86_64 os=linux os-distribution=ubuntu os-version=20.04
# solver               builtin-mccs+glpk
# install-criteria     -removed,-count[avoid-version,changed],-count[version-lag,request],-count[version-lag,changed],-count[missing-depexts,changed],-changed
# upgrade-criteria     -removed,-count[avoid-version,changed],-count[version-lag,solution],-count[missing-depexts,changed],-new
# jobs                 7
# repositories         1 (http) (default repo at f1eef1a5)
# pinned               0
# current-switch       4.08.1
# ocaml:native         true
# ocaml:native-tools   true
# ocaml:native-dynlink true
# ocaml:stubsdir       /usr/local/lib/ocaml/4.08.1/stublibs:/usr/lib/ocaml/stublibs
# ocaml:preinstalled   true
# ocaml:compiler       system
# ocaml-system:path    /usr/bin

[dra27]

Cross-referencing #4749