From 4390142315a0d6ed0f67712061498c68389ea3b7 Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Sun, 15 Nov 2015 06:08:50 -0500
Subject: [PATCH 1/4] Use AutoDelete for sandbox profile file

---
 src/libstore/build.cc | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 1dee1ca2c..6f662f81d 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -778,9 +778,13 @@ private:
     DirsInChroot dirsInChroot;
     typedef map<string, string> Environment;
     Environment env;
+#if SANDBOX_ENABLED
     typedef string SandboxProfile;
     SandboxProfile additionalSandboxProfile;
 
+    AutoDelete autoDelSandbox;
+#endif
+
     /* Hash rewriting. */
     HashRewrites rewritesToTmp, rewritesFromTmp;
     typedef map<Path, Path> RedirectedOutputs;
@@ -2445,9 +2449,10 @@ void DerivationGoal::runChild()
         const char *builder = "invalid";
 
         string sandboxProfile;
-        if (isBuiltin(*drv))
+        if (isBuiltin(*drv)) {
             ;
-        else if (useChroot && SANDBOX_ENABLED) {
+#if SANDBOX_ENABLED
+        } else if (useChroot) {
             /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
             PathSet ancestry;
 
@@ -2527,16 +2532,20 @@ void DerivationGoal::runChild()
             debug("Generated sandbox profile:");
             debug(sandboxProfile);
 
-            Path tmpProfile = createTempDir() + "/profile.sb";
-            writeFile(tmpProfile, sandboxProfile);
+            Path sandboxFile = drvPath + ".sb";
+            if (pathExists(sandboxFile)) deletePath(sandboxFile);
+            autoDelSandbox = AutoDelete(sandboxFile);
+
+            writeFile(sandboxFile, sandboxProfile);
 
             builder = "/usr/bin/sandbox-exec";
             args.push_back("sandbox-exec");
             args.push_back("-f");
-            args.push_back(tmpProfile);
+            args.push_back(sandboxFile);
             args.push_back("-D");
             args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
             args.push_back(drv->builder);
+#endif
         } else {
             builder = drv->builder.c_str();
             string builderBasename = baseNameOf(drv->builder);

From 58d2fac91d0da7312e3ef147b6b290ea16031da8 Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Mon, 16 Nov 2015 05:53:10 -0500
Subject: [PATCH 2/4] AutoDelete: Add default constructor with deletion
 disabled

---
 src/libstore/build.cc | 2 +-
 src/libutil/util.cc   | 8 ++++++++
 src/libutil/util.hh   | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 6f662f81d..6112d528c 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2534,7 +2534,7 @@ void DerivationGoal::runChild()
 
             Path sandboxFile = drvPath + ".sb";
             if (pathExists(sandboxFile)) deletePath(sandboxFile);
-            autoDelSandbox = AutoDelete(sandboxFile);
+            autoDelSandbox.reset(sandboxFile, false);
 
             writeFile(sandboxFile, sandboxProfile);
 
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 27116fd18..84f578eec 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -599,6 +599,8 @@ string drainFD(int fd)
 //////////////////////////////////////////////////////////////////////
 
 
+AutoDelete::AutoDelete() : del{false} {}
+
 AutoDelete::AutoDelete(const string & p, bool recursive) : path(p)
 {
     del = true;
@@ -626,6 +628,12 @@ void AutoDelete::cancel()
     del = false;
 }
 
+void AutoDelete::reset(const Path & p, bool recursive = true) {
+    this-> p = p;
+    this->recursive = recursive;
+    del = true;
+}
+
 
 
 //////////////////////////////////////////////////////////////////////
diff --git a/src/libutil/util.hh b/src/libutil/util.hh
index 23d01e9a6..f4026a0a8 100644
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@@ -199,9 +199,11 @@ class AutoDelete
     bool del;
     bool recursive;
 public:
+    AutoDelete();
     AutoDelete(const Path & p, bool recursive = true);
     ~AutoDelete();
     void cancel();
+    void reset(const Path & p, bool recursive = true);
     operator Path() const { return path; }
 };
 

From 9b4cd20752886d2e5447297d5fd00dd83b1ce547 Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Mon, 16 Nov 2015 05:54:34 -0500
Subject: [PATCH 3/4] Fix copy-paste error

---
 src/libutil/util.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 84f578eec..0a19e79bc 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -629,7 +629,7 @@ void AutoDelete::cancel()
 }
 
 void AutoDelete::reset(const Path & p, bool recursive = true) {
-    this-> p = p;
+    path = p;
     this->recursive = recursive;
     del = true;
 }

From 1d3529e93a449622987f259e6449a63fff62a1b2 Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Mon, 16 Nov 2015 05:55:55 -0500
Subject: [PATCH 4/4] Default arguments belong at declaration, not definition

---
 src/libutil/util.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 0a19e79bc..75032bf90 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -628,7 +628,7 @@ void AutoDelete::cancel()
     del = false;
 }
 
-void AutoDelete::reset(const Path & p, bool recursive = true) {
+void AutoDelete::reset(const Path & p, bool recursive) {
     path = p;
     this->recursive = recursive;
     del = true;