no-broken-symlinks: restrict checks to symlinks pointing inside the s…

…tore

doc/stdenv/stdenv.chapter.md

@@ -1377,6 +1377,10 @@ This setup hook checks for, reports, and (by default) fails builds when "broken"
 
 This hook can be disabled by setting `dontCheckForBrokenSymlinks`.
 
+::: {.note}
+The hook only considers symlinks with targets inside the Nix store.
+:::
+
 ::: {.note}
 The check for reflexivity is direct and does not account for transitivity, so this hook will not prevent cycles in symlinks.
 :::

pkgs/build-support/setup-hooks/no-broken-symlinks.sh

@@ -45,6 +45,11 @@ noBrokenSymlinks() {
       symlinkTarget="$(realpath --no-symlinks --canonicalize-missing "$pathParent/$symlinkTarget")"
     fi
 
+    if [[ $symlinkTarget != "$NIX_STORE"/* ]]; then
+      nixInfoLog "symlink $path points outside the Nix store; ignoring"
+      continue
+    fi
+
     if [[ $path == "$symlinkTarget" ]]; then
       nixErrorLog "the symlink $path is reflexive $symlinkTarget"
       numReflexiveSymlinks+=1

pkgs/test/stdenv/no-broken-symlinks.nix

@@ -22,6 +22,10 @@ let
     ln -s${if absolute then "r" else ""} "$out/valid" "$out/valid-symlink"
   '';
 
+  mkValidSymlinkOutsideNixStore = absolute: ''
+    ln -s${if absolute then "r" else ""} "/etc/my_file" "$out/valid-symlink"
+  '';
+
   testBuilder =
     {
       name,
@@ -188,4 +192,14 @@ in
     name = "pass-valid-symlink-absolute";
     commands = [ (mkValidSymlink true) ];
   };
+
+  pass-valid-symlink-outside-nix-store-relative = testBuilder {
+    name = "pass-valid-symlink-outside-nix-store-relative";
+    commands = [ (mkValidSymlinkOutsideNixStore false) ];
+  };
+
+  pass-valid-symlink-outside-nix-store-absolute = testBuilder {
+    name = "pass-valid-symlink-outside-nix-store-absolute";
+    commands = [ (mkValidSymlinkOutsideNixStore true) ];
+  };
 }