Fix --no-sandbox

When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit 86ca2d6d94c0581fda0c666c5e022784952f3542)
(cherry picked from commit 8f58b98770)

src/libstore/build/local-derivation-goal.cc

@@ -494,13 +494,16 @@ void LocalDerivationGoal::startBuilder()
     additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
 #endif
 
-    /* Create a temporary directory where the build will take place.
-     * That directory is wrapped into a restricted daemon-owned one to make sure
-     * that the builder can't open its build directory to the world.
-     * */
-    auto parentTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
-    tmpDir = parentTmpDir + "/build";
-    createDir(tmpDir, 0700);
+    /* Create a temporary directory where the build will take
+       place. */
+    tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+    if (useChroot) {
+        /* If sandboxing is enabled, put the actual TMPDIR underneath
+           an inaccessible root-owned directory, to prevent outside
+           access. */
+        tmpDir = tmpDir + "/build";
+        createDir(tmpDir, 0700);
+    }
     chownToBuilder(tmpDir);
 
     for (auto & [outputName, status] : initialOutputs) {