2024-05-28 19:43:04 +03:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
2023-05-16 00:41:51 +03:00
|
|
|
source common.sh
|
|
|
|
|
|
|
|
requireSandboxSupport
|
|
|
|
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
|
|
|
if ! command -p -v unshare; then skipTest "Need unshare"; fi
|
|
|
|
needLocalStore "The test uses --store always so we would just be bypassing the daemon"
|
|
|
|
|
2024-06-16 13:51:46 +03:00
|
|
|
TODO_NixOS
|
|
|
|
|
2024-10-09 21:53:43 +03:00
|
|
|
unshare --mount --map-root-user -- bash -e -x <<EOF
|
2023-05-16 00:41:51 +03:00
|
|
|
source common.sh
|
|
|
|
|
2023-07-13 22:23:24 +03:00
|
|
|
# Avoid store dir being inside sandbox build-dir
|
|
|
|
unset NIX_STORE_DIR
|
|
|
|
unset NIX_STATE_DIR
|
|
|
|
|
2023-05-16 00:41:51 +03:00
|
|
|
setLocalStore () {
|
|
|
|
export NIX_REMOTE=\$TEST_ROOT/\$1
|
|
|
|
mkdir -p \$NIX_REMOTE
|
|
|
|
}
|
|
|
|
|
2023-05-16 00:49:04 +03:00
|
|
|
cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1 --no-out-link)
|
2023-05-16 00:41:51 +03:00
|
|
|
|
|
|
|
# Fails with default setting
|
|
|
|
setLocalStore store1
|
2024-10-09 21:53:43 +03:00
|
|
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "setgroups failed"
|
2023-05-16 00:41:51 +03:00
|
|
|
|
2023-07-11 12:44:03 +03:00
|
|
|
# Fails with `require-drop-supplementary-groups`
|
2023-05-16 00:41:51 +03:00
|
|
|
setLocalStore store2
|
2023-07-11 12:44:03 +03:00
|
|
|
NIX_CONFIG='require-drop-supplementary-groups = true' \
|
2024-10-09 21:53:43 +03:00
|
|
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "setgroups failed"
|
2023-05-16 00:41:51 +03:00
|
|
|
|
2023-07-11 12:44:03 +03:00
|
|
|
# Works without `require-drop-supplementary-groups`
|
2023-05-16 00:41:51 +03:00
|
|
|
setLocalStore store3
|
2023-07-11 12:44:03 +03:00
|
|
|
NIX_CONFIG='require-drop-supplementary-groups = false' \
|
2023-05-16 00:41:51 +03:00
|
|
|
"\${cmd[@]}"
|
|
|
|
EOF
|