Merge pull request #3303 from LnL7/darwin-sandbox

build: fix sandboxing on darwin
This commit is contained in:
Eelco Dolstra 2020-01-06 20:56:35 +01:00 committed by GitHub
commit e2988f48a1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 15 deletions

View file

@ -3340,7 +3340,7 @@ void DerivationGoal::runChild()
; ;
} }
#if __APPLE__ #if __APPLE__
else if (getEnv("_NIX_TEST_NO_SANDBOX") == "") { else {
/* This has to appear before import statements. */ /* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n"; std::string sandboxProfile = "(version 1)\n";
@ -3449,25 +3449,32 @@ void DerivationGoal::runChild()
/* They don't like trailing slashes on subpath directives */ /* They don't like trailing slashes on subpath directives */
if (globalTmpDir.back() == '/') globalTmpDir.pop_back(); if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
builder = "/usr/bin/sandbox-exec"; if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
args.push_back("sandbox-exec"); builder = "/usr/bin/sandbox-exec";
args.push_back("-f"); args.push_back("sandbox-exec");
args.push_back(sandboxFile); args.push_back("-f");
args.push_back("-D"); args.push_back(sandboxFile);
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
args.push_back("-D");
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
if (allowLocalNetworking) {
args.push_back("-D"); args.push_back("-D");
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1")); args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
args.push_back("-D");
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
if (allowLocalNetworking) {
args.push_back("-D");
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
}
args.push_back(drv->builder);
} else {
printError("warning: running in sandboxing test mode, sandbox disabled");
builder = drv->builder.c_str();
args.push_back(std::string(baseNameOf(drv->builder)));
} }
args.push_back(drv->builder);
} }
#endif #else
else { else {
builder = drv->builder.c_str(); builder = drv->builder.c_str();
args.push_back(std::string(baseNameOf(drv->builder))); args.push_back(std::string(baseNameOf(drv->builder)));
} }
#endif
for (auto & i : drv->args) for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites)); args.push_back(rewriteStrings(i, inputRewrites));

View file

@ -443,7 +443,7 @@ void LocalStore::findRuntimeRoots(Roots & roots, bool censor)
// lsof is really slow on OS X. This actually causes the gc-concurrent.sh test to fail. // lsof is really slow on OS X. This actually causes the gc-concurrent.sh test to fail.
// See: https://github.com/NixOS/nix/issues/3011 // See: https://github.com/NixOS/nix/issues/3011
// Because of this we disable lsof when running the tests. // Because of this we disable lsof when running the tests.
if (getEnv("_NIX_TEST_NO_LSOF") == "") { if (getEnv("_NIX_TEST_NO_LSOF") != "1") {
try { try {
std::regex lsofRegex(R"(^n(/.*)$)"); std::regex lsofRegex(R"(^n(/.*)$)");
auto lsofLines = auto lsofLines =

View file

@ -53,7 +53,7 @@ static int _main(int argc, char * * argv)
{ {
HashType ht = htSHA256; HashType ht = htSHA256;
std::vector<string> args; std::vector<string> args;
bool printPath = getEnv("PRINT_PATH") != ""; bool printPath = getEnv("PRINT_PATH") == "1";
bool fromExpr = false; bool fromExpr = false;
string attrPath; string attrPath;
bool unpack = false; bool unpack = false;