From 7b4444f17441fa2057a47c66f098487e6ee45d3d Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Sat, 24 Jan 2026 12:39:56 +0100
Subject: [PATCH] tests: fix sandbox-paths in cancelled-builds test

Don't add the whole store to sandbox-paths unconditionally. Exposing
the entire store defeats the purpose of sandboxing, and when the test
store is the same as the system store (NixOS VM), it causes an obscure
"Permission denied" error.

Only add sandbox-paths when not on NixOS, indicating a separate test
store that needs access to system store build tools.
---
 tests/functional/build.sh | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/tests/functional/build.sh b/tests/functional/build.sh
index f07827fd2db..dbc72d99135 100755
--- a/tests/functional/build.sh
+++ b/tests/functional/build.sh
@@ -224,9 +224,17 @@ if isDaemonNewer "2.34pre" && canUseSandbox; then
     mkdir -p "$fifoDir"
     mkfifo "$fifoDir/fifo"
     chmod a+rw "$fifoDir/fifo"
+    # When using a separate test store, we need sandbox-paths to access
+    # the system store (where bash/coreutils live). On NixOS, the test
+    # uses the system store directly, so this isn't needed (and would
+    # conflict with input paths).
+    sandboxPathsArg=()
+    if ! isTestOnNixOS; then
+        sandboxPathsArg=(--option sandbox-paths "/nix/store")
+    fi
     out="$(nix flake check ./cancelled-builds --impure -L -j2 \
         --option sandbox true \
-        --option sandbox-paths "${NIX_STORE:-/nix/store}" \
+        "${sandboxPathsArg[@]}" \
         --option sandbox-build-dir /build-tmp \
         --option extra-sandbox-paths "/cancelled-builds-fifo=$fifoDir" \
         2>&1)" && status=0 || status=$?
@@ -245,10 +253,14 @@ if isDaemonNewer "2.34pre" && canUseSandbox; then
     mkdir -p "$fifoDir"
     mkfifo "$fifoDir/fifo"
     chmod a+rw "$fifoDir/fifo"
+    sandboxPathsArg=()
+    if ! isTestOnNixOS; then
+        sandboxPathsArg=(--option sandbox-paths "/nix/store")
+    fi
     system=$(nix eval --raw --impure --expr builtins.currentSystem)
     out="$(nix build --impure -L -j2 \
         --option sandbox true \
-        --option sandbox-paths "${NIX_STORE:-/nix/store}" \
+        "${sandboxPathsArg[@]}" \
         --option sandbox-build-dir /build-tmp \
         --option extra-sandbox-paths "/cancelled-builds-fifo=$fifoDir" \
         "./cancelled-builds#checks.$system.slow" \