build-fhs-userenv-bubblewrap: Preserve symlinks in /etc

If the original file in /etc is a symlink, make it a symlink inside the sandbox as well. This fixes https://github.com/NixOS/nixpkgs/issues/126234#issuecomment-1192203498 Co-authored-by: Linus Heckemann <git@sphalerite.org>
2024-09-20 04:19:00 +02:00 · 2023-03-17 11:00:03 -06:00 · 2023-03-17 11:00:03 -06:00 · 58d73d2397
parent 3c5319ad3a
commit 58d73d2397
1 changed files with 15 additions and 4 deletions
--- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
+++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
@ -26,7 +26,7 @@ let
    "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
  ]);

-  etcBindFlags = let
+  etcBindEntries = let
    files = [
      # NixOS Compatibility
      "static"
@ -69,8 +69,7 @@ let
      "ca-certificates"
      "pki"
    ];
-  in concatStringsSep "\n  "
-  (map (file: "--ro-bind-try $(${coreutils}/bin/readlink -m /etc/${file}) /etc/${file}") files);
+  in map (path: "/etc/${path}") files;

  # Create this on the fly instead of linking from /nix
  # The container might have to modify it and re-run ldconfig if there are
@ -102,6 +101,7 @@ let
    blacklist=(/nix /dev /proc /etc)
    ro_mounts=()
    symlinks=()
+    etc_ignored=()
    for i in ${env}/*; do
      path="/''${i##*/}"
      if [[ $path == '/etc' ]]; then
@ -124,9 +124,21 @@ let
          continue
        fi
        ro_mounts+=(--ro-bind "$i" "/etc$path")
+        etc_ignored+=("/etc$path")
      done
    fi

+    for i in ${lib.escapeShellArgs etcBindEntries}; do
+      if [[ "''${etc_ignored[@]}" =~ "$i" ]]; then
+        continue
+      fi
+      if [[ -L $i ]]; then
+        symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$i")
+      else
+        ro_mounts+=(--ro-bind-try "$i" "$i")
+      fi
+    done
+
    declare -a auto_mounts
    # loop through all directories in the root
    for dir in /*; do
@ -179,7 +191,6 @@ let
      --symlink /etc/ld.so.cache ${pkgsi686Linux.glibc}/etc/ld.so.cache \
      --ro-bind ${pkgsi686Linux.glibc}/etc/rpc ${pkgsi686Linux.glibc}/etc/rpc \
      --remount-ro ${pkgsi686Linux.glibc}/etc \
-      ${etcBindFlags}
      "''${ro_mounts[@]}"
      "''${symlinks[@]}"
      "''${auto_mounts[@]}"