Merge pull request #11047 from NixOS/backport-11046-to-2.18-maintenance

[Backport 2.18-maintenance] [Backport 2.21-maintenance] libstore: fix sandboxed builds on macOS
This commit is contained in:
Robert Hensing 2024-07-05 19:40:45 +02:00 committed by GitHub
commit 217fadd993
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 6 deletions

View File

@ -484,13 +484,23 @@ void LocalDerivationGoal::startBuilder()
/* Create a temporary directory where the build will take /* Create a temporary directory where the build will take
place. */ place. */
tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700); topTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
#if __APPLE__
if (false) {
#else
if (useChroot) { if (useChroot) {
#endif
/* If sandboxing is enabled, put the actual TMPDIR underneath /* If sandboxing is enabled, put the actual TMPDIR underneath
an inaccessible root-owned directory, to prevent outside an inaccessible root-owned directory, to prevent outside
access. */ access.
tmpDir = tmpDir + "/build";
On macOS, we don't use an actual chroot, so this isn't
possible. Any mitigation along these lines would have to be
done directly in the sandbox profile. */
tmpDir = topTmpDir + "/build";
createDir(tmpDir, 0700); createDir(tmpDir, 0700);
} else {
tmpDir = topTmpDir;
} }
chownToBuilder(tmpDir); chownToBuilder(tmpDir);
@ -2957,7 +2967,7 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo
void LocalDerivationGoal::deleteTmpDir(bool force) void LocalDerivationGoal::deleteTmpDir(bool force)
{ {
if (tmpDir != "") { if (topTmpDir != "") {
/* Don't keep temporary directories for builtins because they /* Don't keep temporary directories for builtins because they
might have privileged stuff (like a copy of netrc). */ might have privileged stuff (like a copy of netrc). */
if (settings.keepFailed && !force && !drv->isBuiltin()) { if (settings.keepFailed && !force && !drv->isBuiltin()) {
@ -2965,7 +2975,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
chmod(tmpDir.c_str(), 0755); chmod(tmpDir.c_str(), 0755);
} }
else else
deletePath(tmpDir); deletePath(topTmpDir);
topTmpDir = "";
tmpDir = ""; tmpDir = "";
} }
} }

View File

@ -26,10 +26,16 @@ struct LocalDerivationGoal : public DerivationGoal
std::optional<Path> cgroup; std::optional<Path> cgroup;
/** /**
* The temporary directory. * The temporary directory used for the build.
*/ */
Path tmpDir; Path tmpDir;
/**
* The top-level temporary directory. `tmpDir` is either equal to
* or a child of this directory.
*/
Path topTmpDir;
/** /**
* The path of the temporary directory in the sandbox. * The path of the temporary directory in the sandbox.
*/ */