From b2416f44850769715167c68a7e5d28d756dc23d6 Mon Sep 17 00:00:00 2001 From: Connor Baker Date: Thu, 23 Jan 2025 15:59:18 -0800 Subject: [PATCH 1/2] no-broken-symlinks: restrict checks to symlinks pointing inside the store --- doc/stdenv/stdenv.chapter.md | 4 ++++ .../setup-hooks/no-broken-symlinks.sh | 5 +++++ pkgs/test/stdenv/no-broken-symlinks.nix | 14 ++++++++++++++ 3 files changed, 23 insertions(+) diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index 868a7543d9ad3..ed29d8459c336 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1377,6 +1377,10 @@ This setup hook checks for, reports, and (by default) fails builds when "broken" This hook can be disabled by setting `dontCheckForBrokenSymlinks`. +::: {.note} +The hook only considers symlinks with targets inside the Nix store. +::: + ::: {.note} The check for reflexivity is direct and does not account for transitivity, so this hook will not prevent cycles in symlinks. ::: diff --git a/pkgs/build-support/setup-hooks/no-broken-symlinks.sh b/pkgs/build-support/setup-hooks/no-broken-symlinks.sh index e4acaa1ec1149..6609c08e8436e 100644 --- a/pkgs/build-support/setup-hooks/no-broken-symlinks.sh +++ b/pkgs/build-support/setup-hooks/no-broken-symlinks.sh @@ -45,6 +45,11 @@ noBrokenSymlinks() { symlinkTarget="$(realpath --no-symlinks --canonicalize-missing "$pathParent/$symlinkTarget")" fi + if [[ $symlinkTarget != "$NIX_STORE"/* ]]; then + nixInfoLog "symlink $path points outside the Nix store; ignoring" + continue + fi + if [[ $path == "$symlinkTarget" ]]; then nixErrorLog "the symlink $path is reflexive $symlinkTarget" numReflexiveSymlinks+=1 diff --git a/pkgs/test/stdenv/no-broken-symlinks.nix b/pkgs/test/stdenv/no-broken-symlinks.nix index 0eb0ef0f982e6..dfc25745f4711 100644 --- a/pkgs/test/stdenv/no-broken-symlinks.nix +++ b/pkgs/test/stdenv/no-broken-symlinks.nix @@ -22,6 +22,10 @@ let ln -s${if absolute then "r" else ""} "$out/valid" "$out/valid-symlink" ''; + mkValidSymlinkOutsideNixStore = absolute: '' + ln -s${if absolute then "r" else ""} "/etc/my_file" "$out/valid-symlink" + ''; + testBuilder = { name, @@ -188,4 +192,14 @@ in name = "pass-valid-symlink-absolute"; commands = [ (mkValidSymlink true) ]; }; + + pass-valid-symlink-outside-nix-store-relative = testBuilder { + name = "pass-valid-symlink-outside-nix-store-relative"; + commands = [ (mkValidSymlinkOutsideNixStore false) ]; + }; + + pass-valid-symlink-outside-nix-store-absolute = testBuilder { + name = "pass-valid-symlink-outside-nix-store-absolute"; + commands = [ (mkValidSymlinkOutsideNixStore true) ]; + }; } From 1166b63c1d53a10322266ddbca000735ee0e90af Mon Sep 17 00:00:00 2001 From: Connor Baker Date: Fri, 24 Jan 2025 16:29:48 +0000 Subject: [PATCH 2/2] test.stdenv.hooks.no-broken-symlinks: correct inverted absolute path option --- pkgs/test/stdenv/no-broken-symlinks.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/test/stdenv/no-broken-symlinks.nix b/pkgs/test/stdenv/no-broken-symlinks.nix index dfc25745f4711..9c8ea72a2c7dd 100644 --- a/pkgs/test/stdenv/no-broken-symlinks.nix +++ b/pkgs/test/stdenv/no-broken-symlinks.nix @@ -5,25 +5,25 @@ }: let - inherit (lib.strings) concatStringsSep; + inherit (lib.strings) concatStringsSep optionalString; inherit (pkgs) runCommand; inherit (pkgs.testers) testBuildFailure; mkDanglingSymlink = absolute: '' - ln -s${if absolute then "r" else ""} "$out/dangling" "$out/dangling-symlink" + ln -s${optionalString (!absolute) "r"} "$out/dangling" "$out/dangling-symlink" ''; mkReflexiveSymlink = absolute: '' - ln -s${if absolute then "r" else ""} "$out/reflexive-symlink" "$out/reflexive-symlink" + ln -s${optionalString (!absolute) "r"} "$out/reflexive-symlink" "$out/reflexive-symlink" ''; mkValidSymlink = absolute: '' touch "$out/valid" - ln -s${if absolute then "r" else ""} "$out/valid" "$out/valid-symlink" + ln -s${optionalString (!absolute) "r"} "$out/valid" "$out/valid-symlink" ''; mkValidSymlinkOutsideNixStore = absolute: '' - ln -s${if absolute then "r" else ""} "/etc/my_file" "$out/valid-symlink" + ln -s${optionalString (!absolute) "r"} "/etc/my_file" "$out/valid-symlink" ''; testBuilder =