diff options
| author | aszlig <aszlig@nix.build> | 2019-03-14 19:07:03 +0100 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2019-03-14 19:14:05 +0100 |
| commit | 46f7dd436f4b10d9c6cdde737d4da3ffce8e88be (patch) | |
| tree | c5aaefee9648786ac9a2626dba3d87c401ebc1dc /nixos/tests/systemd-confinement.nix | |
| parent | 0ba48f46dacf1d0771cb1995a9a0ff6c1bd2e4fb (diff) | |
| download | nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.tar nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.tar.gz nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.tar.bz2 nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.tar.lz nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.tar.xz nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.tar.zst nixpkgs-46f7dd436f4b10d9c6cdde737d4da3ffce8e88be.zip | |
nixos/confinement: Allow to configure /bin/sh
Another thing requested by @edolstra in [1]:
We should not provide a different /bin/sh in the chroot, that's just
asking for confusion and random shell script breakage. It should be
the same shell (i.e. bash) as in a regular environment.
While I personally would even go as far to even have a very restricted
shell that is not even a shell and basically *only* allows "/bin/sh -c"
with only *very* minimal parsing of shell syntax, I do agree that people
expect /bin/sh to be bash (or the one configured by environment.binsh)
on NixOS.
So this should make both others and me happy in that I could just use
confinement.binSh = "${pkgs.dash}/bin/dash" for the services I confine.
[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704
Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'nixos/tests/systemd-confinement.nix')
| -rw-r--r-- | nixos/tests/systemd-confinement.nix | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/nixos/tests/systemd-confinement.nix b/nixos/tests/systemd-confinement.nix index 448d34ec30b..63cb074d7ca 100644 --- a/nixos/tests/systemd-confinement.nix +++ b/nixos/tests/systemd-confinement.nix @@ -106,6 +106,32 @@ import ./make-test.nix { $machine->succeed('test ! -e /tmp/canary'); ''; } + { description = "check if /bin/sh works"; + testScript = '' + $machine->succeed( + 'chroot-exec test -e /bin/sh', + 'test "$(chroot-exec \'/bin/sh -c "echo bar"\')" = bar', + ); + ''; + } + { description = "check if suppressing /bin/sh works"; + config.confinement.binSh = null; + testScript = '' + $machine->succeed( + 'chroot-exec test ! -e /bin/sh', + 'test "$(chroot-exec \'/bin/sh -c "echo foo"\')" != foo', + ); + ''; + } + { description = "check if we can set /bin/sh to something different"; + config.confinement.binSh = "${pkgs.hello}/bin/hello"; + testScript = '' + $machine->succeed( + 'chroot-exec test -e /bin/sh', + 'test "$(chroot-exec /bin/sh -g foo)" = foo', + ); + ''; + } ]; options.__testSteps = lib.mkOption { |