Merge pull request #8240 from tweag/macos-sandbox

thufschmitt · web-flow · commit 940e9eb8dd6d · 2023-05-26T17:06:02.000+02:00
ci: Always run with sandbox, even on Darwin
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,6 +20,9 @@ jobs:
       with:
         fetch-depth: 0
     - uses: cachix/install-nix-action@v20
+      with:
+        # The sandbox would otherwise be disabled by default on Darwin
+        extra_nix_config: "sandbox = true"
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
     - uses: cachix/cachix-action@v12
       if: needs.check_secrets.outputs.cachix == 'true'
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
@@ -2620,7 +2620,7 @@ Strings EvalSettings::getDefaultNixPath()
 {
     Strings res;
     auto add = [&](const Path & p, const std::string & s = std::string()) {
-        if (pathExists(p)) {
+        if (pathAccessible(p)) {
             if (s.empty()) {
                 res.push_back(p);
             } else {
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
@@ -183,7 +183,7 @@ bool Settings::isWSL1()
 Path Settings::getDefaultSSLCertFile()
 {
     for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
-        if (pathExists(fn)) return fn;
+        if (pathAccessible(fn)) return fn;
     return "";
 }
 
diff --git a/src/libutil/tests/tests.cc b/src/libutil/tests/tests.cc
@@ -202,7 +202,7 @@ namespace nix {
     }
 
     TEST(pathExists, bogusPathDoesNotExist) {
-        ASSERT_FALSE(pathExists("/home/schnitzel/darmstadt/pommes"));
+        ASSERT_FALSE(pathExists("/schnitzel/darmstadt/pommes"));
     }
 
     /* ----------------------------------------------------------------------------
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
@@ -266,6 +266,17 @@ bool pathExists(const Path & path)
     return false;
 }
 
+bool pathAccessible(const Path & path)
+{
+    try {
+        return pathExists(path);
+    } catch (SysError & e) {
+        // swallow EPERM
+        if (e.errNo == EPERM) return false;
+        throw;
+    }
+}
+
 
 Path readLink(const Path & path)
 {
diff --git a/src/libutil/util.hh b/src/libutil/util.hh
@@ -120,6 +120,14 @@ struct stat lstat(const Path & path);
  */
 bool pathExists(const Path & path);
 
+/**
+ * A version of pathExists that returns false on a permission error.
+ * Useful for inferring default paths across directories that might not
+ * be readable.
+ * @return true iff the given path can be accessed and exists
+ */
+bool pathAccessible(const Path & path);
+
 /**
  * Read the contents (target) of a symbolic link.  The result is not
  * in any way canonicalised.

Original file line number	Diff line number	Diff line change
`@@ -2620,7 +2620,7 @@ Strings EvalSettings::getDefaultNixPath()`
`2620`	`2620`	`{`
`2621`	`2621`	`Strings res;`
`2622`	`2622`	`auto add = [&](const Path & p, const std::string & s = std::string()) {`
`2623`		`- if (pathExists(p)) {`
	`2623`	`+ if (pathAccessible(p)) {`
`2624`	`2624`	`if (s.empty()) {`
`2625`	`2625`	`res.push_back(p);`
`2626`	`2626`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ bool Settings::isWSL1()`
`183`	`183`	`Path Settings::getDefaultSSLCertFile()`
`184`	`184`	`{`
`185`	`185`	`for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})`
`186`		`- if (pathExists(fn)) return fn;`
	`186`	`+ if (pathAccessible(fn)) return fn;`
`187`	`187`	`return "";`
`188`	`188`	`}`
`189`	`189`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ namespace nix {`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`TEST(pathExists, bogusPathDoesNotExist) {`
`205`		`- ASSERT_FALSE(pathExists("/home/schnitzel/darmstadt/pommes"));`
	`205`	`+ ASSERT_FALSE(pathExists("/schnitzel/darmstadt/pommes"));`
`206`	`206`	`}`
`207`	`207`
`208`	`208`	`/* ----------------------------------------------------------------------------`