diff options
author | Zhaofeng Li <hello@zhaofeng.li> | 2023-03-17 11:00:03 -0600 |
---|---|---|
committer | Zhaofeng Li <hello@zhaofeng.li> | 2023-03-17 11:03:11 -0600 |
commit | 58d73d2397f5ccd251d7e3833ee36b2f117ec06d (patch) | |
tree | 439116801ac22d8d74de251e7e64c4c77bb53516 /pkgs/build-support/build-fhs-userenv-bubblewrap | |
parent | 3c5319ad3aa51551182ac82ea17ab1c6b0f0df89 (diff) |
build-fhs-userenv-bubblewrap: Preserve symlinks in /etc
If the original file in /etc is a symlink, make it a symlink inside the sandbox as well. This fixes https://github.com/NixOS/nixpkgs/issues/126234#issuecomment-1192203498 Co-authored-by: Linus Heckemann <git@sphalerite.org>
Diffstat (limited to 'pkgs/build-support/build-fhs-userenv-bubblewrap')
-rw-r--r-- | pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index 048233d728c47..b95d94f4a0bf1 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -26,7 +26,7 @@ let "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" ]); - etcBindFlags = let + etcBindEntries = let files = [ # NixOS Compatibility "static" @@ -69,8 +69,7 @@ let "ca-certificates" "pki" ]; - in concatStringsSep "\n " - (map (file: "--ro-bind-try $(${coreutils}/bin/readlink -m /etc/${file}) /etc/${file}") files); + in map (path: "/etc/${path}") files; # Create this on the fly instead of linking from /nix # The container might have to modify it and re-run ldconfig if there are @@ -102,6 +101,7 @@ let blacklist=(/nix /dev /proc /etc) ro_mounts=() symlinks=() + etc_ignored=() for i in ${env}/*; do path="/''${i##*/}" if [[ $path == '/etc' ]]; then @@ -124,9 +124,21 @@ let continue fi ro_mounts+=(--ro-bind "$i" "/etc$path") + etc_ignored+=("/etc$path") done fi + for i in ${lib.escapeShellArgs etcBindEntries}; do + if [[ "''${etc_ignored[@]}" =~ "$i" ]]; then + continue + fi + if [[ -L $i ]]; then + symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$i") + else + ro_mounts+=(--ro-bind-try "$i" "$i") + fi + done + declare -a auto_mounts # loop through all directories in the root for dir in /*; do @@ -179,7 +191,6 @@ let --symlink /etc/ld.so.cache ${pkgsi686Linux.glibc}/etc/ld.so.cache \ --ro-bind ${pkgsi686Linux.glibc}/etc/rpc ${pkgsi686Linux.glibc}/etc/rpc \ --remount-ro ${pkgsi686Linux.glibc}/etc \ - ${etcBindFlags} "''${ro_mounts[@]}" "''${symlinks[@]}" "''${auto_mounts[@]}" |