Merge branch 'main' into nix

.github/workflows/test.yaml

@@ -15,9 +15,13 @@ jobs:
     if: github.event.pull_request.draft == false
 
     steps:
+      - name: Allow unprivileged user namespaces (for Ubuntu 24.04)
+        run: |
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Install dependencies
         run: |
-          sudo apt-get install expect mergerfs attr pandoc
+          sudo apt-get install util-linux expect mergerfs attr pandoc
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -50,6 +54,10 @@ jobs:
     if: github.event.pull_request.draft == false
 
     steps:
+      - name: Allow unprivileged user namespaces (for Ubuntu 24.04)
+        run: |
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Install dependencies
         run: |
           sudo apt-get install expect mergerfs attr pandoc
@@ -92,6 +100,10 @@ jobs:
     if: github.event.pull_request.draft == false
 
     steps:
+      - name: Allow unprivileged user namespaces (for Ubuntu 24.04)
+        run: |
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Install dependencies
         run: |
           sudo apt-get install expect mergerfs attr pandoc

test/stdstream.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree 2>/dev/null || echo "${0%/*}")}"
+TRY="$TRY_TOP/try"
+
+cmdfile="$(mktemp)"
+
+cat > "$cmdfile" <<'EOF'
+read x < /dev/stdin
+echo $((x * 2)) > /dev/stdout
+echo $((x * 3)) > /dev/stderr
+
+EOF
+
+chmod +x "$cmdfile"
+
+try_stdout=$(mktemp)
+try_stderr=$(mktemp)
+sh_stdout=$(mktemp)
+sh_stderr=$(mktemp)
+
+# test stdout
+echo 5 | "$TRY" "$cmdfile" >"$try_stdout" 2>"$try_stderr"
+echo 5 | sh "$cmdfile" >"$sh_stdout" 2>"$sh_stderr"
+
+diff "$try_stdout" "$sh_stdout" || exit 1
+
+# using grep because there's try errors printed
+grep -q 15 "$try_stderr"
+grep -q 15 "$sh_stderr"
+
+rm "$try_stdout" "$try_stderr" "$sh_stdout" "$sh_stderr"
+
+cat > "$cmdfile" <<'EOF'
+read x <&0
+echo $((x * 2)) >&1
+echo $((x * 3)) >&2
+
+EOF
+
+# test stdout
+echo 5 | "$TRY" "$cmdfile" >"$try_stdout" 2>"$try_stderr"
+echo 5 | sh "$cmdfile" >"$sh_stdout" 2>"$sh_stderr"
+
+diff "$try_stdout" "$sh_stdout" || exit 1
+
+# using grep because there's try errors printed
+grep -q 15 "$try_stderr"
+grep -q 15 "$sh_stderr"
+
+rm "$try_stdout" "$try_stderr" "$sh_stdout" "$sh_stderr"

test/tempfiles.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+# shellcheck disable=SC2010,SC2126,SC2181
+
+TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree 2>/dev/null || echo "${0%/*}")}"
+TRY="$TRY_TOP/try"
+
+workdir="$(mktemp -d)"
+cd "$workdir" || exit 1
+
+initial_count="$(ls "${TMPDIR-/tmp}" | grep -e "^.*\.try-[0-9]*$" | wc -l)"
+
+sandbox=$($TRY -n "touch $HOME/foo")
+[ $? -eq 0 ] || exit 2
+
+post_count="$(ls "${TMPDIR-/tmp}" | grep -e "^.*\.try-[0-9]*$" | wc -l)"
+
+# just one new tempfile
+[ "$((initial_count + 1))" -eq "$post_count" ] || exit 3
+[ -f "$sandbox/upperdir$HOME/foo" ] || exit 4
+
+# deliberately not the pattern of try sandboxes
+sandbox=local
+mkdir "$sandbox" || exit 5
+$TRY -D "$sandbox" "touch $HOME/bar" || exit 6
+
+final_count="$(ls "${TMPDIR-/tmp}" | grep -e "^.*\.try-[0-9]*$" | wc -l)"
+
+# no new tempfiles!
+[ "$post_count" -eq "$final_count" ] || exit 7
+[ -f "$sandbox/upperdir$HOME/bar" ] || exit 8

try

@@ -9,6 +9,8 @@
 
 TRY_VERSION="0.2.0"
 TRY_COMMAND="${0##*/}"
+EXECID="$(date +%s%3N)"
+export EXECID
 export TRY_COMMAND
 
 # exit status invariants
@@ -32,10 +34,15 @@ try() {
     if [ "$SANDBOX_DIR" ]
     then
         ## If the name of a sandbox is given then we need to exit prematurely if its directory doesn't exist
-        ! [ -d "$SANDBOX_DIR" ] && { error "could not find sandbox directory $SANDBOX_DIR" 2; }
+        [ -d "$SANDBOX_DIR" ] || error "could not find sandbox directory $SANDBOX_DIR" 2
+        # Force absolute path
+        SANDBOX_DIR="$(cd "$SANDBOX_DIR" && pwd)"
+
+        # shellcheck disable=SC2181
+        [ "$?" -eq 0 ] || error "could not find sandbox directory $SANDBOX_DIR (could not cd in)" 2
     else
         ## Create a new sandbox if one was not given
-        SANDBOX_DIR=$(mktemp -d)
+        SANDBOX_DIR="$(mktemp -d --suffix ".try-$EXECID")"
     fi
 
     ## If the sandbox is not valid we exit early
@@ -48,7 +55,11 @@ try() {
     ## because we have already checked if it valid.
     export SANDBOX_DIR
 
-    try_mount_log="$(mktemp)"
+    # We created "$IGNORE_FILE" up front, but now we can stash it in the sandbox.
+    mv "$IGNORE_FILE" "$SANDBOX_DIR"/ignore
+    IGNORE_FILE="$SANDBOX_DIR"/ignore
+
+    try_mount_log="$SANDBOX_DIR"/mount.log
     export try_mount_log
 
     # If we're in a docker container, we want to mount tmpfs on sandbox_dir, #136
@@ -64,14 +75,14 @@ try() {
     mkdir -p "$SANDBOX_DIR/upperdir" "$SANDBOX_DIR/workdir" "$SANDBOX_DIR/temproot"
 
     ## Find all the directories and mounts that need to be mounted
-    DIRS_AND_MOUNTS="$(mktemp)"
+    DIRS_AND_MOUNTS="$SANDBOX_DIR"/mounts
     export DIRS_AND_MOUNTS
     find / -maxdepth 1 >"$DIRS_AND_MOUNTS"
     findmnt --real -r -o target -n >>"$DIRS_AND_MOUNTS"
     sort -u -o "$DIRS_AND_MOUNTS" "$DIRS_AND_MOUNTS"
 
     # Calculate UPDATED_DIRS_AND_MOUNTS that contains the merge arguments in LOWER_DIRS
-    UPDATED_DIRS_AND_MOUNTS="$(mktemp)"
+    UPDATED_DIRS_AND_MOUNTS="$SANDBOX_DIR"/mounts.updated
     export UPDATED_DIRS_AND_MOUNTS
     while IFS="" read -r mountpoint
     do
@@ -122,9 +133,9 @@ try() {
 
     chmod "$(stat -c %a /)" "$SANDBOX_DIR/temproot"
 
-    mount_and_execute="$(mktemp)"
-    chroot_executable="$(mktemp)"
-    script_to_execute="$(mktemp)"
+    mount_and_execute="$SANDBOX_DIR"/mount_and_execute.sh
+    chroot_executable="$SANDBOX_DIR"/chroot_executable.sh
+    script_to_execute="$SANDBOX_DIR"/script_to_execute.sh
 
     export chroot_executable
     export script_to_execute
@@ -225,7 +236,8 @@ do
             ## We can ignore this mountpoint, if the user program tries to use it, it will crash, but if not we can run normally
             printf "%s: Warning: Failed mounting $mountpoint as an overlay and mergerfs or unionfs not set and could not be found, see \"$try_mount_log\"\n" "$TRY_COMMAND" >&2
         else
-            merger_dir=$(mktemp -d)
+            merger_dir="$SANDBOX_DIR"/mergerdir."$(echo "$pure_mountpoint" | tr '/' '.')"
+            mkdir "$merger_dir"
 
             ## Create a union directory
             "$UNION_HELPER" $mountpoint $merger_dir 2>>"$try_mount_log" ||
@@ -249,6 +261,10 @@ unshare --root="$SANDBOX_DIR/temproot" /bin/sh "$chroot_executable"
 exitcode="$?"
 
 # unmount the devices
+rm "$sandbox_dir/temproot/dev/stdin"
+rm "$sandbox_dir/temproot/dev/stdout"
+rm "$sandbox_dir/temproot/dev/stderr"
+
 unmount_devices "$SANDBOX_DIR"
 
 exit $exitcode
@@ -262,6 +278,9 @@ unset START_DIR SANDBOX_DIR UNION_HELPER DIRS_AND_MOUNTS TRY_EXIT_STATUS
 unset script_to_execute chroot_executable try_mount_log
 
 mount -t proc proc /proc &&
+ln -s /proc/self/fd/0 /dev/stdin &&
+ln -s /proc/self/fd/1 /dev/stdout &&
+ln -s /proc/self/fd/2 /dev/stderr &&
 cd "$START_DIR" &&
 . "$script_to_execute"
 EOF
@@ -603,7 +622,10 @@ EOF
 NO_COMMIT="interactive"
 
 # Includes all patterns given using the `-i` flag; will be used with `grep -f`
-IGNORE_FILE="$(mktemp)"
+#
+# We have to create this temporary up front.
+# We move it to $SANDBOX_DIR/ignore in `try()`, but delete it when we don't move it.
+IGNORE_FILE="$(mktemp --suffix ".try-$EXECID")"
 
 while getopts ":yvnhxi:D:U:L:" opt
 do
@@ -648,9 +670,13 @@ fi
 TRY_EXIT_STATUS=1
 case "$1" in
     (summary) : "${SANDBOX_DIR=$2}"
-              summary;;
+              summary
+              rm "$IGNORE_FILE" # we didn't move it to the sandbox, so clean up
+              ;;
     (commit)  : "${SANDBOX_DIR=$2}"
-              commit;;
+              commit
+              rm "$IGNORE_FILE" # we didn't move it to the sandbox, so clean up
+              ;;
     (explore) : "${SANDBOX_DIR=$2}"
               try "$SHELL";;
     (--)      shift