diff options
author | Silvan Mosberger <silvan.mosberger@tweag.io> | 2023-09-11 15:44:44 +0200 |
---|---|---|
committer | Silvan Mosberger <contact@infinisil.com> | 2023-09-12 01:07:44 +0200 |
commit | d518eb94eee9d88e7a4aad37b8cd0065f394a79d (patch) | |
tree | 99b77162458232f5d8c0d22b9f8a287874b8667c /pkgs/test | |
parent | 688d95b6e6c1a1a0fb91be7b80bff228b20c8024 (diff) | |
download | nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.tar nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.tar.gz nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.tar.bz2 nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.tar.lz nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.tar.xz nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.tar.zst nixlib-d518eb94eee9d88e7a4aad37b8cd0065f394a79d.zip |
tests.nixpkgs-check-by-name: Fix for symlinked tempdirs
On Darwin, /tmp is sometimes a symlink to /private/tmp, which couldn't be handled before: error: access to canonical path '/private/var/folders/xp/9_ry6h9x6l9gh_g32qspz0_40000gp/T/.tmpFbcNO0' is forbidden in restricted mode This both fixes that and adds a test to make sure it can't happen again
Diffstat (limited to 'pkgs/test')
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/src/eval.rs | 12 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/src/main.rs | 36 |
2 files changed, 45 insertions, 3 deletions
diff --git a/pkgs/test/nixpkgs-check-by-name/src/eval.rs b/pkgs/test/nixpkgs-check-by-name/src/eval.rs index d084642ffe7e..17e22495b22a 100644 --- a/pkgs/test/nixpkgs-check-by-name/src/eval.rs +++ b/pkgs/test/nixpkgs-check-by-name/src/eval.rs @@ -30,9 +30,15 @@ pub fn check_values<W: io::Write>( // Write the list of packages we need to check into a temporary JSON file. // This can then get read by the Nix evaluation. let attrs_file = NamedTempFile::new().context("Failed to create a temporary file")?; + // We need to canonicalise this path because if it's a symlink (which can be the case on + // Darwin), Nix would need to read both the symlink and the target path, therefore need 2 + // NIX_PATH entries for restrict-eval. But if we resolve the symlinks then only one predictable + // entry is needed. + let attrs_file_path = attrs_file.path().canonicalize()?; + serde_json::to_writer(&attrs_file, &nixpkgs.package_names).context(format!( "Failed to serialise the package names to the temporary path {}", - attrs_file.path().display() + attrs_file_path.display() ))?; // With restrict-eval, only paths in NIX_PATH can be accessed, so we explicitly specify the @@ -57,9 +63,9 @@ pub fn check_values<W: io::Write>( // Pass the path to the attrs_file as an argument and add it to the NIX_PATH so it can be // accessed in restrict-eval mode .args(["--arg", "attrsPath"]) - .arg(attrs_file.path()) + .arg(&attrs_file_path) .arg("-I") - .arg(attrs_file.path()) + .arg(&attrs_file_path) // Same for the nixpkgs to test .args(["--arg", "nixpkgsPath"]) .arg(&nixpkgs.path) diff --git a/pkgs/test/nixpkgs-check-by-name/src/main.rs b/pkgs/test/nixpkgs-check-by-name/src/main.rs index db22e524553b..751b5dbd0240 100644 --- a/pkgs/test/nixpkgs-check-by-name/src/main.rs +++ b/pkgs/test/nixpkgs-check-by-name/src/main.rs @@ -140,6 +140,42 @@ mod tests { Ok(()) } + /// Tests symlinked temporary directories. + /// This is needed because on darwin, `/tmp` is a symlink to `/private/tmp`, and Nix's + /// restrict-eval doesn't also allow access to the canonical path when you allow the + /// non-canonical one. + /// + /// The error if we didn't do this would look like this: + /// error: access to canonical path '/private/var/folders/[...]/.tmpFbcNO0' is forbidden in restricted mode + #[test] + fn test_symlinked_tmpdir() -> anyhow::Result<()> { + // Create a directory with two entries: + // - actual (dir) + // - symlinked -> actual (symlink) + let temp_root = tempdir()?; + fs::create_dir(temp_root.path().join("actual"))?; + std::os::unix::fs::symlink("actual", temp_root.path().join("symlinked"))?; + let tmpdir = temp_root.path().join("symlinked"); + + // Then set TMPDIR to the symlinked directory + // Make sure to persist the old value so we can undo this later + let old_tmpdir = env::var("TMPDIR").ok(); + env::set_var("TMPDIR", &tmpdir); + + // Then run a simple test with this symlinked temporary directory + // This should be successful + test_nixpkgs("symlinked_tmpdir", Path::new("tests/success"), "")?; + + // Undo the env variable change + if let Some(old) = old_tmpdir { + env::set_var("TMPDIR", old); + } else { + env::remove_var("TMPDIR"); + } + + Ok(()) + } + fn test_nixpkgs(name: &str, path: &Path, expected_errors: &str) -> anyhow::Result<()> { let extra_nix_path = Path::new("tests/mock-nixpkgs.nix"); |