libstore: Fix sandbox=relaxed

The fix for the Darwin vulnerability in ecdbc3b207eaec1a2cafd2a0d494bcbabdd60a11 also broke setting `__sandboxProfile` when `sandbox=relaxed` or `sandbox=false`. This cppnix change fixes `sandbox=relaxed` and adds a suitable test. Co-Authored-By: Artemis Tosini <lix@artem.ist> Co-Authored-By: Eelco Dolstra <edolstra@gmail.com> Change-Id: I40190f44f3e1d61846df1c7b89677c20a1488522
author: Théophane Hufschmitt <theophane.hufschmitt@tweag.io> 2024-05-06 15:10:18 +0200
committer: Artemis Tosini <lix@artem.ist> 2024-05-08 19:31:43 +0000
commit: adea821d8766976f6e0006575aba39404b649e40 (patch)
tree: f13db10041fe4f67f233f3744953822bc2eaf48a /tests/functional/extra-sandbox-profile.sh
parent: f782c8a60a4be16eebf98ef329a8e614de814c30 (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/functional/extra-sandbox-profile.sh b/tests/functional/extra-sandbox-profile.sh
new file mode 100644
index 000000000..ac3ca036f
--- /dev/null
+++ b/tests/functional/extra-sandbox-profile.sh
@@ -0,0 +1,23 @@
+source common.sh
+
+if [[ $(uname) != Darwin ]]; then skipTest "Need Darwin"; fi
+
+DEST_FILE="${TEST_ROOT}/foo"
+
+testSandboxProfile () (
+    set -e
+
+    sandboxMode="$1"
+
+    rm -f "${DEST_FILE}"
+    nix-build --no-out-link ./extra-sandbox-profile.nix \
+        --option sandbox "$sandboxMode" \
+        --argstr seed "$RANDOM" \
+        --argstr destFile "${DEST_FILE}"
+
+    ls -l "${DEST_FILE}"
+)
+
+testSandboxProfile "false"
+expectStderr 2 testSandboxProfile "true"
+testSandboxProfile "relaxed"
author	Théophane Hufschmitt <theophane.hufschmitt@tweag.io>	2024-05-06 15:10:18 +0200
committer	Artemis Tosini <lix@artem.ist>	2024-05-08 19:31:43 +0000
commit	adea821d8766976f6e0006575aba39404b649e40 (patch)
tree	f13db10041fe4f67f233f3744953822bc2eaf48a /tests/functional/extra-sandbox-profile.sh
parent	f782c8a60a4be16eebf98ef329a8e614de814c30 (diff)