nix: force sandbox in CI

For more details see: https://github.com/status-im/security-internal/blob/master/overview/infra.md#continuous-integration-ci Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-02 14:14:39 +00:00 · 2020-02-25 22:42:47 +01:00 · 2020-02-25 22:42:47 +01:00 · 1c81d6e190
commit 1c81d6e190
parent 8d95515480
5 changed files with 34 additions and 30 deletions
--- a/ci/Jenkinsfile.fastlane.clean
+++ b/ci/Jenkinsfile.fastlane.clean
@ -44,7 +44,7 @@ pipeline {
        ]) {
          nix.shell(
            'bundle exec --gemfile=fastlane/Gemfile fastlane ios clean',
-            keep: ['FASTLANE_APPLE_ID', 'FASTLANE_PASSWORD'],
+            keepEnv: ['FASTLANE_APPLE_ID', 'FASTLANE_PASSWORD'],
            attr: 'shells.fastlane',
          )
        }
--- a/ci/android.groovy
+++ b/ci/android.groovy
@ -49,12 +49,12 @@ def bundle() {
        'STATUS_RELEASE_STORE_PASSWORD',
        'STATUS_RELEASE_KEY_PASSWORD',
      ],
-      keep: [
+      keepEnv: [
        'ANDROID_ABI_SPLIT',
        'ANDROID_ABI_INCLUDE',
        'STATUS_RELEASE_STORE_FILE',
      ],
-      sbox: [
+      sandboxPaths: [
        env.STATUS_RELEASE_STORE_FILE,
      ],
      link: false
@ -110,7 +110,7 @@ def uploadToPlayStore(type = 'nightly') {
  ]) {
    nix.shell(
      "fastlane android ${type}",
-      keep: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'GOOGLE_PLAY_JSON_KEY'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'GOOGLE_PLAY_JSON_KEY'],
      attr: 'shells.fastlane',
      pure: false
    )
@ -134,7 +134,7 @@ def uploadToSauceLabs() {
  ]) {
    nix.shell(
      'fastlane android saucelabs',
-      keep: [
+      keepEnv: [
        'FASTLANE_DISABLE_COLORS', 'APK_PATHS',
        'SAUCE_ACCESS_KEY', 'SAUCE_USERNAME', 'SAUCE_LABS_NAME'
      ],
@ -151,7 +151,7 @@ def uploadToDiawi() {
  ]) {
    nix.shell(
      'fastlane android upload_diawi',
-      keep: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'DIAWI_TOKEN'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'DIAWI_TOKEN'],
      attr: 'shells.fastlane',
      pure: false
    )
@ -166,7 +166,7 @@ def coverage() {
  ]) {
    nix.shell(
      'make coverage',
-      keep: ['COVERALLS_REPO_TOKEN', 'COVERALLS_SERVICE_NAME', 'COVERALLS_SERVICE_JOB_ID']
+      keepEnv: ['COVERALLS_REPO_TOKEN', 'COVERALLS_SERVICE_NAME', 'COVERALLS_SERVICE_JOB_ID']
    )
  }
 }
--- a/ci/desktop.groovy
+++ b/ci/desktop.groovy
@ -9,7 +9,7 @@ def buildJSBundle() {
      make jsbundle-desktop && \
      ./scripts/build-desktop.sh buildJSBundle
    ''',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
  )
 }

@ -49,7 +49,7 @@ def compile() {
  }
  nix.shell(
    './scripts/build-desktop.sh compile',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
  )
 }

@ -58,7 +58,7 @@ def bundleWindows(type = 'nightly') {

  nix.shell(
    './scripts/build-desktop.sh bundle',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
  )
  dir(packageFolder) {
    pkg = utils.pkgFilename(type, 'exe')
@ -71,7 +71,7 @@ def bundleLinux(type = 'nightly') {
  def pkg
  nix.shell(
    './scripts/build-desktop.sh bundle',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
  )
  dir(packageFolder) {
    pkg = utils.pkgFilename(type, 'AppImage')
@ -84,7 +84,7 @@ def bundleMacOS(type = 'nightly') {
  def pkg = utils.pkgFilename(type, 'dmg')
  nix.shell(
    './scripts/build-desktop.sh bundle',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
  )
  dir(packageFolder) {
    withCredentials([
@ -99,7 +99,7 @@ def bundleMacOS(type = 'nightly') {
        ../scripts/sign-macos-pkg.sh ${pkg} ../deployment/macos/macos-developer-id.keychain-db.gpg
        """,
        pure: false,
-        keep: ['GPG_PASS_OUTER', 'GPG_PASS_INNER', 'KEYCHAIN_PASS']
+        keepEnv: ['GPG_PASS_OUTER', 'GPG_PASS_INNER', 'KEYCHAIN_PASS']
      )
    }
  }
--- a/ci/ios.groovy
+++ b/ci/ios.groovy
@ -34,7 +34,7 @@ def bundle() {
  ]) {
    nix.shell(
      "bundle exec --gemfile=fastlane/Gemfile fastlane ios ${target}",
-      keep: [
+      keepEnv: [
        'FASTLANE_DISABLE_COLORS',
        'FASTLANE_PASSWORD', 'KEYCHAIN_PASSWORD',
        'MATCH_PASSWORD', 'FASTLANE_APPLE_ID',
@ -66,7 +66,7 @@ def uploadToDiawi() {
    /* This can silently fail with 'File is not processed.' */
    nix.shell(
      'bundle exec --verbose --gemfile=fastlane/Gemfile fastlane ios upload_diawi',
-      keep: ['FASTLANE_DISABLE_COLORS', 'DIAWI_TOKEN'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'DIAWI_TOKEN'],
      attr: 'shells.fastlane'
    )
  }
@ -92,7 +92,7 @@ def uploadToSauceLabs() {
  ]) {
    nix.shell(
      'bundle exec --gemfile=fastlane/Gemfile fastlane ios saucelabs',
-      keep: ['FASTLANE_DISABLE_COLORS', 'SAUCE_ACCESS_KEY', 'SAUCE_USERNAME'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'SAUCE_ACCESS_KEY', 'SAUCE_USERNAME'],
      attr: 'shells.fastlane'
    )
  }
--- a/ci/nix.groovy
+++ b/ci/nix.groovy
@ -1,19 +1,20 @@
 /**
 * Arguments:
 *  - pure - Use --pure mode with Nix for more deterministic behaviour
- *  - keep - List of env variables to keep even in pure mode
 *  - args - Map of arguments to provide to --argstr
+ *  - keepEnv - List of env variables to keep even in pure mode
 **/
 def shell(Map opts = [:], String cmd) {
  def defaults = [
    pure: true,
    args: ['target': env.TARGET ? env.TARGET : 'default'],
-    keep: ['LOCALE_ARCHIVE_2_27'],
+    keepEnv: ['LOCALE_ARCHIVE_2_27'],
+    sandbox: true,
  ]
  /* merge defaults with received opts */
  opts = defaults + opts
  /* previous merge overwrites the array */
-  opts.keep = (opts.keep + defaults.keep).unique()
+  opts.keepEnv = (opts.keepEnv + defaults.keepEnv).unique()
  /* not all targets can use a pure build */
  if (env.TARGET in ['windows', 'ios']) {
    opts.pure = false
@ -30,29 +31,31 @@ def shell(Map opts = [:], String cmd) {
 * Arguments:
 *  - pure - Use --pure mode with Nix for more deterministic behaviour
 *  - link - Bu default build creates a `result` directory, you can turn that off
- *  - keep - List of env variables to pass through to Nix build
 *  - conf - Map of config values to provide to --arg config
 *  - args - Map of arguments to provide to --argstr
 *  - attr - Name of attribute to use with --attr flag
- *  - sbox - List of host file paths to pass to the Nix expression
+ *  - keepEnv - List of env variables to pass through to Nix build
 *  - safeEnv - Name of env variables to pass securely through to Nix build (they won't get captured in Nix derivation file)
+ *  - sandbox - If build process should run inside of a sandbox
+ *  - sandboxPaths - List of file paths to make available in Nix sandbox
 **/
 def build(Map opts = [:]) {
  def defaults = [
    pure: true,
    link: true,
    args: ['target': env.TARGET],
-    keep: [],
    conf: [:],
    attr: null,
-    sbox: [],
+    keepEnv: [],
    safeEnv: [],
+    sandbox: true,
+    sandboxPaths: [],
  ]
  /* merge defaults with received opts */
  opts = defaults + opts
  /* Previous merge overwrites the array */
  opts.args = defaults.args + opts.args
-  opts.keep = (opts.keep + defaults.keep).unique()
+  opts.keepEnv = (opts.keepEnv + defaults.keepEnv).unique()

  def nixPath = sh(
    returnStdout: true,
@ -92,7 +95,7 @@ private makeNixBuildEnvFile(Map opts = [:]) {
    """

    opts.args = opts.args + [ 'secrets-file': envFile.absolutePath ]
-    opts.sbox = opts.sbox + envFile.absolutePath
+    opts.sandboxPaths = opts.sandboxPaths + envFile.absolutePath
  }

  return envFile
@ -104,12 +107,13 @@ private def _getNixCommandArgs(Map opts = [:], boolean isShell) {
  if (!isShell || opts.attr != null) {
    entryPoint = "\'${env.WORKSPACE}/default.nix\'"
  }
-  def extraSandboxPathsFlag = ''
+  /* don't let nix.conf control sandbox status */
+  def extraSandboxPathsFlag = "--option sandbox ${opts.sandbox}"

  if (isShell) {
-    keepFlags = opts.keep.collect { var -> "--keep ${var} " }
+    keepFlags = opts.keepEnv.collect { var -> "--keep ${var} " }
  } else {
-    def envVarsList = opts.keep.collect { var -> "${var}=\"${env[var]}\";" }
+    def envVarsList = opts.keepEnv.collect { var -> "${var}=\"${env[var]}\";" }
    keepFlags = ["--arg env \'{${envVarsList.join("")}}\'"]

    /* Export the environment variables we want to keep into
@ -128,8 +132,8 @@ private def _getNixCommandArgs(Map opts = [:], boolean isShell) {
    def configFlags = opts.conf.collect { key,val -> "${key}=\"${val}\";" }
    configFlag = "--arg config \'{${configFlags.join('')}}\'"
  }
-  if (opts.sbox != null && !opts.sbox.isEmpty()) {
-    extraSandboxPathsFlag = "--option extra-sandbox-paths \"${opts.sbox.join(' ')}\""
+  if (opts.sandboxPaths != null && !opts.sandboxPaths.isEmpty()) {
+    extraSandboxPathsFlag += " --option extra-sandbox-paths \"${opts.sandboxPaths.join(' ')}\""
  }

  return [