Merge pull request #7830 from yorickvP/fix-writable-etc

Don't allow writing to /etc
author: Eelco Dolstra <edolstra@gmail.com> 2023-02-14 14:41:59 +0100
committer: GitHub <noreply@github.com> 2023-02-14 14:41:59 +0100
commit: 707ba52f2d1855f2613da3a576488f5040843915 (patch)
tree: 756cb0de9292c3a54ff58bcfabb256a9227216b0 /tests/linux-sandbox.sh
parent: df9a71f6ea66f9ab1e4955d5fef62eacd817f976 (diff)
parent: 49fd72a903b7bc2fdc4735111ca5569122cf55ee (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh
index 3f304ac2f..e62039567 100644
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@@ -37,3 +37,6 @@ nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
 (! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
 if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi
 grep -q 'may not be deterministic' $TEST_ROOT/log
+
+# Test that sandboxed builds cannot write to /etc easily
+(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)
author	Eelco Dolstra <edolstra@gmail.com>	2023-02-14 14:41:59 +0100
committer	GitHub <noreply@github.com>	2023-02-14 14:41:59 +0100
commit	707ba52f2d1855f2613da3a576488f5040843915 (patch)
tree	756cb0de9292c3a54ff58bcfabb256a9227216b0 /tests/linux-sandbox.sh
parent	df9a71f6ea66f9ab1e4955d5fef62eacd817f976 (diff)
parent	49fd72a903b7bc2fdc4735111ca5569122cf55ee (diff)