Merge pull request #11047 from NixOS/backport-11046-to-2.18-maintenance

[Backport 2.18-maintenance] [Backport 2.21-maintenance] libstore: fix sandboxed builds on macOS
2024-11-22 06:42:28 +00:00 · 2024-07-05 19:40:45 +02:00 · 2024-07-05 19:40:45 +02:00 · 217fadd993
commit 217fadd993
parent 5e160c9cfe 0b97319ed4
2 changed files with 23 additions and 6 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -484,13 +484,23 @@ void LocalDerivationGoal::startBuilder()

    /* Create a temporary directory where the build will take
       place. */
-    tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+    topTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+#if __APPLE__
+    if (false) {
+#else
    if (useChroot) {
+#endif
        /* If sandboxing is enabled, put the actual TMPDIR underneath
           an inaccessible root-owned directory, to prevent outside
-           access. */
-        tmpDir = tmpDir + "/build";
+           access.
+
+           On macOS, we don't use an actual chroot, so this isn't
+           possible. Any mitigation along these lines would have to be
+           done directly in the sandbox profile. */
+        tmpDir = topTmpDir + "/build";
        createDir(tmpDir, 0700);
+    } else {
+        tmpDir = topTmpDir;
    }
    chownToBuilder(tmpDir);

@ -2957,7 +2967,7 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo

 void LocalDerivationGoal::deleteTmpDir(bool force)
 {
-    if (tmpDir != "") {
+    if (topTmpDir != "") {
        /* Don't keep temporary directories for builtins because they
           might have privileged stuff (like a copy of netrc). */
        if (settings.keepFailed && !force && !drv->isBuiltin()) {
@ -2965,7 +2975,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
            chmod(tmpDir.c_str(), 0755);
        }
        else
-            deletePath(tmpDir);
+            deletePath(topTmpDir);
+        topTmpDir = "";
        tmpDir = "";
    }
 }
--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
@ -26,10 +26,16 @@ struct LocalDerivationGoal : public DerivationGoal
    std::optional<Path> cgroup;

    /**
-     * The temporary directory.
+     * The temporary directory used for the build.
     */
    Path tmpDir;

+    /**
+     * The top-level temporary directory. `tmpDir` is either equal to
+     * or a child of this directory.
+     */
+    Path topTmpDir;
+
    /**
     * The path of the temporary directory in the sandbox.
     */