Merge fdc5d1e894 into 0e1323c041

src/libstore/unix/build/local-derivation-goal.cc

@@ -2114,6 +2114,9 @@ void LocalDerivationGoal::runChild()
             if (rmdir("real-root") == -1)
                 throw SysError("cannot remove real-root directory");
 
+            // Make build root read-only, so `mkdir /homeless-shelter` would fail.
+            chmod_("/", 0555);
+
             /* Switch to the sandbox uid/gid in the user namespace,
                which corresponds to the build user or calling user in
                the parent namespace. */

tests/functional/build.sh

@@ -153,6 +153,11 @@ nix build --impure -f multiple-outputs.nix --json e --no-link \
     (.outputs | keys == ["a_a", "b"]))
 '
 
+# Make sure that `mkdir $HOME` fails with a "Permission denied" or "Operation not permitted" error
+out="$(nix build -f mkdir-home-failing.nix -L 2>&1)" && status=0 || status=$?
+test "$status" = 1
+<<<"$out" grepQuiet -E "Permission denied" || <<<"$out" grepQuiet -E "Operation not permitted"
+
 # Make sure that `--stdin` works and does not apply any defaults
 printf "" | nix build --no-link --stdin --json | jq --exit-status '. == []'
 printf "%s\n" "$drv^*" | nix build --no-link --stdin --json | jq --exit-status '.[0]|has("drvPath")'

tests/functional/mkdir-home-failing.nix

@@ -0,0 +1,8 @@
+with import ./config.nix;
+mkDerivation {
+  name = "mkdir-home-no-permission";
+  builder = builtins.toFile "builder.sh"
+    ''
+      mkdir $HOME
+    '';
+}