libstore: clean up the build directory properly

After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
(cherry picked from commit 76e4adfaac)
(cherry picked from commit 0d68b40dda)
This commit is contained in:
Emily 2024-07-04 16:19:51 +01:00 committed by github-actions[bot]
parent 1e896c1738
commit 98a7d3b0a4
2 changed files with 12 additions and 5 deletions

View File

@ -498,12 +498,12 @@ void LocalDerivationGoal::startBuilder()
/* Create a temporary directory where the build will take /* Create a temporary directory where the build will take
place. */ place. */
tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700); topTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
if (useChroot) { if (useChroot) {
/* If sandboxing is enabled, put the actual TMPDIR underneath /* If sandboxing is enabled, put the actual TMPDIR underneath
an inaccessible root-owned directory, to prevent outside an inaccessible root-owned directory, to prevent outside
access. */ access. */
tmpDir = tmpDir + "/build"; tmpDir = topTmpDir + "/build";
createDir(tmpDir, 0700); createDir(tmpDir, 0700);
} }
chownToBuilder(tmpDir); chownToBuilder(tmpDir);
@ -2930,7 +2930,7 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo
void LocalDerivationGoal::deleteTmpDir(bool force) void LocalDerivationGoal::deleteTmpDir(bool force)
{ {
if (tmpDir != "") { if (topTmpDir != "") {
/* Don't keep temporary directories for builtins because they /* Don't keep temporary directories for builtins because they
might have privileged stuff (like a copy of netrc). */ might have privileged stuff (like a copy of netrc). */
if (settings.keepFailed && !force && !drv->isBuiltin()) { if (settings.keepFailed && !force && !drv->isBuiltin()) {
@ -2938,7 +2938,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
chmod(tmpDir.c_str(), 0755); chmod(tmpDir.c_str(), 0755);
} }
else else
deletePath(tmpDir); deletePath(topTmpDir);
topTmpDir = "";
tmpDir = ""; tmpDir = "";
} }
} }

View File

@ -27,10 +27,16 @@ struct LocalDerivationGoal : public DerivationGoal
std::optional<Path> cgroup; std::optional<Path> cgroup;
/** /**
* The temporary directory. * The temporary directory used for the build.
*/ */
Path tmpDir; Path tmpDir;
/**
* The top-level temporary directory. `tmpDir` is either equal to
* or a child of this directory.
*/
Path topTmpDir;
/** /**
* The path of the temporary directory in the sandbox. * The path of the temporary directory in the sandbox.
*/ */