Merge pull request #10456 from NixOS/fixpermdeniedbind

Fix adding symlink to the sandbox paths

(cherry-picked from commit da1e977bf48cff2a635034c85e7c13878e38efc2)

Change-Id: I221c85a38180800ec6552d2e86a88df48398fad8

2 files changed, 39 insertions, 0 deletions

diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh
index ff7d257bd..04209277b 100644
--- a/tests/functional/linux-sandbox.sh
+++ b/tests/functional/linux-sandbox.sh
@@ -73,3 +73,6 @@ testCert missing fixed-output "$nocert"
 
 # Cert in sandbox when ssl-cert-file is set to an existing file
 testCert present fixed-output "$cert"
+
+# Symlinks should be added in the sandbox directly and not followed
+nix-sandbox-build symlink-derivation.nix
diff --git a/tests/functional/symlink-derivation.nix b/tests/functional/symlink-derivation.nix
new file mode 100644
index 000000000..17ba37424
--- /dev/null
+++ b/tests/functional/symlink-derivation.nix
@@ -0,0 +1,36 @@
+with import ./config.nix;
+
+let
+  foo_in_store = builtins.toFile "foo" "foo";
+  foo_symlink = mkDerivation {
+    name = "foo-symlink";
+    buildCommand = ''
+      ln -s ${foo_in_store} $out
+    '';
+  };
+  symlink_to_not_in_store = mkDerivation {
+    name = "symlink-to-not-in-store";
+    buildCommand = ''
+      ln -s ${builtins.toString ./.} $out
+    '';
+  };
+in
+mkDerivation {
+  name = "depends-on-symlink";
+  buildCommand = ''
+    (
+      set -x
+
+      # `foo_symlink` should be a symlink pointing to `foo_in_store`
+      [[ -L ${foo_symlink} ]]
+      [[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
+
+      # `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
+      # is not available in the sandbox
+      [[ -L ${symlink_to_not_in_store} ]]
+      [[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
+      (! ls ${symlink_to_not_in_store}/)
+    )
+    echo "Success!" > $out
+  '';
+}