Merge pull request #8696 from NixLayeredStore/nested-sandboxing

Ericson2314 · web-flow · commit bc499b2e4e96 · 2023-07-14T10:25:38.000-04:00
Test nested sandboxing, and make nicer error
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -594,6 +594,10 @@ void LocalDerivationGoal::startBuilder()
             else
                 dirsInChroot[i.substr(0, p)] = {i.substr(p + 1), optional};
         }
+        if (hasPrefix(worker.store.storeDir, tmpDirInSandbox))
+        {
+            throw Error("`sandbox-build-dir` must not contain the storeDir");
+        }
         dirsInChroot[tmpDirInSandbox] = tmpDir;
 
         /* Add the closure of store paths to the chroot. */
diff --git a/tests/local.mk b/tests/local.mk
@@ -138,7 +138,8 @@ nix_tests = \
   path-from-hash-part.sh \
   test-libstoreconsumer.sh \
   toString-path.sh \
-  read-only-store.sh
+  read-only-store.sh \
+  nested-sandboxing.sh
 
 ifeq ($(HAVE_LIBCPUID), 1)
 	nix_tests += compute-levels.sh
diff --git a/tests/nested-sandboxing.sh b/tests/nested-sandboxing.sh
@@ -0,0 +1,11 @@
+source common.sh
+# This test is run by `tests/nested-sandboxing/runner.nix` in an extra layer of sandboxing.
+[[ -d /nix/store ]] || skipTest "running this test without Nix's deps being drawn from /nix/store is not yet supported"
+
+requireSandboxSupport
+
+source ./nested-sandboxing/command.sh
+
+expectStderr 100 runNixBuild badStoreUrl 2 | grepQuiet '`sandbox-build-dir` must not contain'
+
+runNixBuild goodStoreUrl 5
diff --git a/tests/nested-sandboxing/command.sh b/tests/nested-sandboxing/command.sh
@@ -0,0 +1,29 @@
+export NIX_BIN_DIR=$(dirname $(type -p nix))
+# TODO Get Nix and its closure more flexibly
+export EXTRA_SANDBOX="/nix/store $(dirname $NIX_BIN_DIR)"
+
+badStoreUrl () {
+    local altitude=$1
+    echo $TEST_ROOT/store-$altitude
+}
+
+goodStoreUrl () {
+    local altitude=$1
+    echo $("badStoreUrl" "$altitude")?store=/foo-$altitude
+}
+
+# The non-standard sandbox-build-dir helps ensure that we get the same behavior
+# whether this test is being run in a derivation as part of the nix build or
+# being manually run by a developer outside a derivation
+runNixBuild () {
+    local storeFun=$1
+    local altitude=$2
+    nix-build \
+        --no-substitute --no-out-link \
+        --store "$("$storeFun" "$altitude")" \
+        --extra-sandbox-paths "$EXTRA_SANDBOX" \
+        ./nested-sandboxing/runner.nix \
+        --arg altitude "$((altitude - 1))" \
+        --argstr storeFun "$storeFun" \
+        --sandbox-build-dir /build-non-standard
+}
diff --git a/tests/nested-sandboxing/runner.nix b/tests/nested-sandboxing/runner.nix
@@ -0,0 +1,24 @@
+{ altitude, storeFun }:
+
+with import ../config.nix;
+
+mkDerivation {
+  name = "nested-sandboxing";
+  busybox = builtins.getEnv "busybox";
+  EXTRA_SANDBOX = builtins.getEnv "EXTRA_SANDBOX";
+  buildCommand = if altitude == 0 then ''
+    echo Deep enough! > $out
+  '' else ''
+    cp -r ${../common} ./common
+    cp ${../common.sh} ./common.sh
+    cp ${../config.nix} ./config.nix
+    cp -r ${./.} ./nested-sandboxing
+
+    export PATH=${builtins.getEnv "NIX_BIN_DIR"}:$PATH
+
+    source common.sh
+    source ./nested-sandboxing/command.sh
+
+    runNixBuild ${storeFun} ${toString altitude} >> $out
+  '';
+}
