Fix the access of symlinks to host files in the sandbox

#10456 fixed the addition of symlink store paths to the sandbox, but also made it so that the hardcoded sandbox paths (like `/etc/hosts`) were now bind-mounted without following the possible symlinks. This made these files unreadable if there were symlinks (because the sandbox would now contain a symlink to an unreachable file rather than the underlying file). In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a symlink there. Fix that by canonicalizing all these hardcoded sandbox paths before adding them to the sandbox. (cherry picked from commit acbb152) (cherry picked from commit 1cc79f1) # Conflicts: # tests/functional/linux-sandbox.sh
NixOS · Oct 29, 2024 · 90e8476 · 90e8476
1 parent e393ee3
commit 90e8476
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh
@@ -61,11 +61,17 @@ testCert () {
 nocert=$TEST_ROOT/no-cert-file.pem
 cert=$TEST_ROOT/some-cert-file.pem
 symlinkcert=$TEST_ROOT/symlink-cert-file.pem
+<<<<<<< HEAD
 transitivesymlinkcert=$TEST_ROOT/transitive-symlink-cert-file.pem
 symlinkDir=$TEST_ROOT/symlink-dir
 echo -n "CERT_CONTENT" > $cert
 ln -s $cert $symlinkcert
 ln -s $symlinkcert $transitivesymlinkcert
+=======
+symlinkDir=$TEST_ROOT/symlink-dir
+echo -n "CERT_CONTENT" > $cert
+ln -s $cert $symlinkcert
+>>>>>>> 1cc79f134 (Fix the access of symlinks to host files in the sandbox)
 ln -s $TEST_ROOT $symlinkDir
 
 # No cert in sandbox when not a fixed-output derivation
@@ -80,9 +86,14 @@ testCert missing fixed-output "$nocert"
 # Cert in sandbox when ssl-cert-file is set to an existing file
 testCert present fixed-output "$cert"
 
+<<<<<<< HEAD
 # Cert in sandbox when ssl-cert-file is set to a (potentially transitive) symlink to an existing file
 testCert present fixed-output "$symlinkcert"
 testCert present fixed-output "$transitivesymlinkcert"
+=======
+# Cert in sandbox when ssl-cert-file is set to a symlink to an existing file
+testCert present fixed-output "$symlinkcert"
+>>>>>>> 1cc79f134 (Fix the access of symlinks to host files in the sandbox)
 
 # Symlinks should be added in the sandbox directly and not followed
 nix-sandbox-build symlink-derivation.nix -A depends_on_symlink