libstore: clean up the build directory properly

After the fix for CVE-2024-38531, this was only removing the nested build directory, rather than the top‐level temporary directory. Fixes: 1d3696f0fb (cherry picked from commit 76e4adfaac)
2024-11-21 22:32:26 +00:00 · 2024-07-04 16:19:51 +01:00 · 2024-07-04 16:19:51 +01:00 · 1a46fb95dd
commit 1a46fb95dd
parent 5911f66eba
2 changed files with 12 additions and 5 deletions
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@ -501,12 +501,12 @@ void LocalDerivationGoal::startBuilder()

    /* Create a temporary directory where the build will take
       place. */
-    tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+    topTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
    if (useChroot) {
        /* If sandboxing is enabled, put the actual TMPDIR underneath
           an inaccessible root-owned directory, to prevent outside
           access. */
-        tmpDir = tmpDir + "/build";
+        tmpDir = topTmpDir + "/build";
        createDir(tmpDir, 0700);
    }
    chownToBuilder(tmpDir);
@ -2961,7 +2961,7 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo

 void LocalDerivationGoal::deleteTmpDir(bool force)
 {
-    if (tmpDir != "") {
+    if (topTmpDir != "") {
        /* Don't keep temporary directories for builtins because they
           might have privileged stuff (like a copy of netrc). */
        if (settings.keepFailed && !force && !drv->isBuiltin()) {
@ -2969,7 +2969,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
            chmod(tmpDir.c_str(), 0755);
        }
        else
-            deletePath(tmpDir);
+            deletePath(topTmpDir);
+        topTmpDir = "";
        tmpDir = "";
    }
 }
--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
@ -27,10 +27,16 @@ struct LocalDerivationGoal : public DerivationGoal
    std::optional<Path> cgroup;

    /**
-     * The temporary directory.
+     * The temporary directory used for the build.
     */
    Path tmpDir;

+    /**
+     * The top-level temporary directory. `tmpDir` is either equal to
+     * or a child of this directory.
+     */
+    Path topTmpDir;
+
    /**
     * The path of the temporary directory in the sandbox.
     */