libstore/unix/derivation-builder: error earlier when sandbox path is inaccessible

cole-h · cole-h · commit dfa7b2a28896 · 2025-06-04T12:16:34.000-07:00
diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
@@ -992,10 +992,21 @@ void DerivationBuilderImpl::startBuilder()
                 i.pop_back();
             }
             size_t p = i.find('=');
-            if (p == std::string::npos)
-                pathsInChroot[i] = {i, optional};
-            else
-                pathsInChroot[i.substr(0, p)] = {i.substr(p + 1), optional};
+
+            std::string inside, outside;
+            if (p == std::string::npos) {
+                inside = i;
+                outside = i;
+            } else {
+                inside = i.substr(0, p);
+                outside = i.substr(p + 1);
+            }
+
+            if (!optional && !maybeLstat(outside)) {
+              throw SysError("path '%s' is configured as part of the `sandbox-paths` option, but is inaccessible", outside);
+            }
+
+            pathsInChroot[inside] = {outside, optional};
         }
         if (hasPrefix(store.storeDir, tmpDirInSandbox))
         {
diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh
@@ -96,3 +96,8 @@ nix-sandbox-build symlink-derivation.nix -A test_sandbox_paths \
     --option extra-sandbox-paths "/dir=$TEST_ROOT" \
     --option extra-sandbox-paths "/symlinkDir=$symlinkDir" \
     --option extra-sandbox-paths "/symlink=$symlinkcert"
+
+# Nonexistent sandbox paths should error early in the build process
+expectStderr 1 nix-sandbox-build --option extra-sandbox-paths '/does-not-exist' \
+    -E 'with import '"${config_nix}"'; mkDerivation { name = "trivial"; buildCommand = "echo > $out"; }' |
+    grepQuiet "path '/does-not-exist' is configured as part of the \`sandbox-paths\` option, but is inaccessible"
