mirror of
https://github.com/NixOS/nix.git
synced 2024-11-22 14:52:55 +00:00
Copy the output of fixed-output derivations before registering them
It is possible to exfiltrate a file descriptor out of the build sandbox of FODs, and use it to modify the store path after it has been registered. To avoid that issue, don't register the output of the build, but a copy of it (that will be free of any leaked file descriptor).
This commit is contained in:
parent
9c0be4c156
commit
8c27eb6c1b
@ -3286,10 +3286,17 @@ void DerivationGoal::registerOutputs()
|
|||||||
throw BuildError(format("suspicious ownership or permission on '%1%'; rejecting this build output") % path);
|
throw BuildError(format("suspicious ownership or permission on '%1%'; rejecting this build output") % path);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Apply hash rewriting if necessary. */
|
/* Apply hash rewriting if necessary.
|
||||||
|
*
|
||||||
|
* For FODs, we always do the dump-and-restore dance regardless to make
|
||||||
|
* sure that there's no stale file descriptor pointing to the output
|
||||||
|
* of the path.
|
||||||
|
* */
|
||||||
bool rewritten = false;
|
bool rewritten = false;
|
||||||
if (!outputRewrites.empty()) {
|
if (fixedOutput || !outputRewrites.empty()) {
|
||||||
|
if (!outputRewrites.empty()) {
|
||||||
printError(format("warning: rewriting hashes in '%1%'; cross fingers") % path);
|
printError(format("warning: rewriting hashes in '%1%'; cross fingers") % path);
|
||||||
|
}
|
||||||
|
|
||||||
/* Canonicalise first. This ensures that the path we're
|
/* Canonicalise first. This ensures that the path we're
|
||||||
rewriting doesn't contain a hard link to /etc/shadow or
|
rewriting doesn't contain a hard link to /etc/shadow or
|
||||||
|
Loading…
Reference in New Issue
Block a user