Fix --no-sandbox

When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit 86ca2d6d94c0581fda0c666c5e022784952f3542)
(cherry picked from commit 8f58b98770)
This commit is contained in:
Eelco Dolstra 2024-05-14 14:12:08 +02:00
parent eee27e83e0
commit caf4082dce

View File

@ -496,13 +496,16 @@ void LocalDerivationGoal::startBuilder()
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
/* Create a temporary directory where the build will take place.
* That directory is wrapped into a restricted daemon-owned one to make sure
* that the builder can't open its build directory to the world.
* */
auto parentTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
tmpDir = parentTmpDir + "/build";
createDir(tmpDir, 0700);
/* Create a temporary directory where the build will take
place. */
tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
if (useChroot) {
/* If sandboxing is enabled, put the actual TMPDIR underneath
an inaccessible root-owned directory, to prevent outside
access. */
tmpDir = tmpDir + "/build";
createDir(tmpDir, 0700);
}
chownToBuilder(tmpDir);
for (auto & [outputName, status] : initialOutputs) {