mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-29 09:06:15 +02:00
Merge pull request #10482 from tweag/fix-symlink-in-sandbox
Fix the access of symlinks to host files in the sandbox
This commit is contained in:
commit
65cc237b3a
3 changed files with 65 additions and 20 deletions
|
@ -1823,11 +1823,18 @@ void LocalDerivationGoal::runChild()
|
||||||
if (pathExists(path))
|
if (pathExists(path))
|
||||||
ss.push_back(path);
|
ss.push_back(path);
|
||||||
|
|
||||||
if (settings.caFile != "")
|
if (settings.caFile != "" && pathExists(settings.caFile)) {
|
||||||
pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
|
Path caFile = settings.caFile;
|
||||||
|
pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", canonPath(caFile, true), true);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (auto & i : ss) pathsInChroot.emplace(i, i);
|
for (auto & i : ss) {
|
||||||
|
// For backwards-compatibiliy, resolve all the symlinks in the
|
||||||
|
// chroot paths
|
||||||
|
auto canonicalPath = canonPath(i, true);
|
||||||
|
pathsInChroot.emplace(i, canonicalPath);
|
||||||
|
}
|
||||||
|
|
||||||
/* Bind-mount all the directories from the "host"
|
/* Bind-mount all the directories from the "host"
|
||||||
filesystem that we want in the chroot
|
filesystem that we want in the chroot
|
||||||
|
|
|
@ -60,7 +60,13 @@ testCert () {
|
||||||
|
|
||||||
nocert=$TEST_ROOT/no-cert-file.pem
|
nocert=$TEST_ROOT/no-cert-file.pem
|
||||||
cert=$TEST_ROOT/some-cert-file.pem
|
cert=$TEST_ROOT/some-cert-file.pem
|
||||||
|
symlinkcert=$TEST_ROOT/symlink-cert-file.pem
|
||||||
|
transitivesymlinkcert=$TEST_ROOT/transitive-symlink-cert-file.pem
|
||||||
|
symlinkDir=$TEST_ROOT/symlink-dir
|
||||||
echo -n "CERT_CONTENT" > $cert
|
echo -n "CERT_CONTENT" > $cert
|
||||||
|
ln -s $cert $symlinkcert
|
||||||
|
ln -s $symlinkcert $transitivesymlinkcert
|
||||||
|
ln -s $TEST_ROOT $symlinkDir
|
||||||
|
|
||||||
# No cert in sandbox when not a fixed-output derivation
|
# No cert in sandbox when not a fixed-output derivation
|
||||||
testCert missing normal "$cert"
|
testCert missing normal "$cert"
|
||||||
|
@ -74,5 +80,14 @@ testCert missing fixed-output "$nocert"
|
||||||
# Cert in sandbox when ssl-cert-file is set to an existing file
|
# Cert in sandbox when ssl-cert-file is set to an existing file
|
||||||
testCert present fixed-output "$cert"
|
testCert present fixed-output "$cert"
|
||||||
|
|
||||||
|
# Cert in sandbox when ssl-cert-file is set to a (potentially transitive) symlink to an existing file
|
||||||
|
testCert present fixed-output "$symlinkcert"
|
||||||
|
testCert present fixed-output "$transitivesymlinkcert"
|
||||||
|
|
||||||
# Symlinks should be added in the sandbox directly and not followed
|
# Symlinks should be added in the sandbox directly and not followed
|
||||||
nix-sandbox-build symlink-derivation.nix
|
nix-sandbox-build symlink-derivation.nix -A depends_on_symlink
|
||||||
|
nix-sandbox-build symlink-derivation.nix -A test_sandbox_paths \
|
||||||
|
--option extra-sandbox-paths "/file=$cert" \
|
||||||
|
--option extra-sandbox-paths "/dir=$TEST_ROOT" \
|
||||||
|
--option extra-sandbox-paths "/symlinkDir=$symlinkDir" \
|
||||||
|
--option extra-sandbox-paths "/symlink=$symlinkcert"
|
||||||
|
|
|
@ -15,22 +15,45 @@ let
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
mkDerivation {
|
{
|
||||||
name = "depends-on-symlink";
|
depends_on_symlink = mkDerivation {
|
||||||
buildCommand = ''
|
name = "depends-on-symlink";
|
||||||
(
|
buildCommand = ''
|
||||||
set -x
|
(
|
||||||
|
set -x
|
||||||
|
|
||||||
# `foo_symlink` should be a symlink pointing to `foo_in_store`
|
# `foo_symlink` should be a symlink pointing to `foo_in_store`
|
||||||
[[ -L ${foo_symlink} ]]
|
[[ -L ${foo_symlink} ]]
|
||||||
[[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
|
[[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
|
||||||
|
|
||||||
# `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
|
# `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
|
||||||
# is not available in the sandbox
|
# is not available in the sandbox
|
||||||
[[ -L ${symlink_to_not_in_store} ]]
|
[[ -L ${symlink_to_not_in_store} ]]
|
||||||
[[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
|
[[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
|
||||||
(! ls ${symlink_to_not_in_store}/)
|
(! ls ${symlink_to_not_in_store}/)
|
||||||
)
|
|
||||||
echo "Success!" > $out
|
# Native paths
|
||||||
'';
|
)
|
||||||
|
echo "Success!" > $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
test_sandbox_paths = mkDerivation {
|
||||||
|
# Depends on the caller to set a bunch of `--sandbox-path` arguments
|
||||||
|
name = "test-sandbox-paths";
|
||||||
|
buildCommand = ''
|
||||||
|
(
|
||||||
|
set -x
|
||||||
|
[[ -f /file ]]
|
||||||
|
[[ -d /dir ]]
|
||||||
|
|
||||||
|
# /symlink and /symlinkDir should be available as raw symlinks
|
||||||
|
# (pointing to files outside of the sandbox)
|
||||||
|
[[ -L /symlink ]] && [[ ! -e $(readlink /symlink) ]]
|
||||||
|
[[ -L /symlinkDir ]] && [[ ! -e $(readlink /symlinkDir) ]]
|
||||||
|
)
|
||||||
|
|
||||||
|
touch $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue