toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: resolve SSL cert symlinks before entering sandbox

Browse source 
On NixOS /etc/ssl/certs/ca-certificates.crt points through /etc/static
which is not mounted. Resolve to the actual /nix/store path first.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Christopher Mühl 2026-04-28 18:25:07 +02:00
parent aff389b9d4
commit 29996a2d40
No known key found for this signature in database
GPG key ID: 925AC7D69955293F
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
claudebox.sh
View file

@ -264,11 +264,14 @@ AUDIT_SANDBOX_VALS[SHELL]="$SANDBOX_BASH"
AUDIT_SANDBOX_VALS[TMPDIR]="/tmp" AUDIT_SANDBOX_VALS[TMPDIR]="/tmp"
AUDIT_SANDBOX_VALS[XDG_RUNTIME_DIR]="/tmp" AUDIT_SANDBOX_VALS[XDG_RUNTIME_DIR]="/tmp"
# SSL cert path: prefer host NIX_SSL_CERT_FILE (NixOS sets this to a nix store path); # SSL cert path: resolve to real nix store path so symlinks work inside the sandbox.
# fall back to /etc/ssl/certs/ca-certificates.crt for non-NixOS hosts. # On NixOS, /etc/ssl/certs/ca-certificates.crt -> /etc/static/ssl/... -> /nix/store/...
# The sandbox mounts /nix/store but not /etc/static, so we must resolve before entering.
_SSL_CERT_DEFAULT="/etc/ssl/certs/ca-certificates.crt" _SSL_CERT_DEFAULT="/etc/ssl/certs/ca-certificates.crt"
_NIX_SSL_CERT="${NIX_SSL_CERT_FILE:-$_SSL_CERT_DEFAULT}" _NIX_SSL_CERT="${NIX_SSL_CERT_FILE:-$_SSL_CERT_DEFAULT}"
_NIX_SSL_CERT="$(readlink -f "$_NIX_SSL_CERT" 2>/dev/null || echo "$_NIX_SSL_CERT")"
_SSL_CERT="${SSL_CERT_FILE:-$_NIX_SSL_CERT}" _SSL_CERT="${SSL_CERT_FILE:-$_NIX_SSL_CERT}"
_SSL_CERT="$(readlink -f "$_SSL_CERT" 2>/dev/null || echo "$_SSL_CERT")"
ENV_ARGS+=( ENV_ARGS+=(
--setenv NIX_SSL_CERT_FILE "$_NIX_SSL_CERT" --setenv NIX_SSL_CERT_FILE "$_NIX_SSL_CERT"
--setenv SSL_CERT_FILE "$_SSL_CERT" --setenv SSL_CERT_FILE "$_SSL_CERT"