Copy the output of fixed-output derivations before registering them

It is possible to exfiltrate a file descriptor out of the build sandbox of FODs, and use it to modify the store path after it has been registered. To avoid that issue, don't register the output of the build, but a copy of it (that will be free of any leaked file descriptor).
2024-11-22 06:42:28 +00:00 · 2024-02-13 08:28:02 +01:00 · 2024-02-13 08:28:02 +01:00 · 8c27eb6c1b
commit 8c27eb6c1b
parent 9c0be4c156
1 changed files with 9 additions and 2 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -3286,10 +3286,17 @@ void DerivationGoal::registerOutputs()
            throw BuildError(format("suspicious ownership or permission on '%1%'; rejecting this build output") % path);
 #endif

-        /* Apply hash rewriting if necessary. */
+        /* Apply hash rewriting if necessary.
+         *
+         * For FODs, we always do the dump-and-restore dance regardless to make
+         * sure that there's no stale file descriptor pointing to the output
+         * of the path.
+         * */
        bool rewritten = false;
-        if (!outputRewrites.empty()) {
+        if (fixedOutput || !outputRewrites.empty()) {
+            if (!outputRewrites.empty()) {
            printError(format("warning: rewriting hashes in '%1%'; cross fingers") % path);
+            }

            /* Canonicalise first.  This ensures that the path we're
               rewriting doesn't contain a hard link to /etc/shadow or