Set $HOME=/proc/homeless-shelter on Linux, and /homeless-shelter on OSX.

This commit is contained in:
Noam Yorav-Raphael 2024-08-19 20:18:08 +03:00
parent 77d84a8d8b
commit 62b9a26f60
2 changed files with 9 additions and 1 deletions

View file

@ -264,7 +264,8 @@ The [`builder`](#attr-builder) is executed as follows:
- `PATH` is set to `/path-not-set` to prevent shells from - `PATH` is set to `/path-not-set` to prevent shells from
initialising it to their built-in default value. initialising it to their built-in default value.
- `HOME` is set to `/proc/homeless-shelter` to prevent programs from - `HOME` is set to `/proc/homeless-shelter` on Linux and `/homeless-shelter`
on OSX, to prevent programs from
using `/etc/passwd` or the like to find the user's home using `/etc/passwd` or the like to find the user's home
directory, which could cause impurity. Usually, when `HOME` is directory, which could cause impurity. Usually, when `HOME` is
set, it is used as the location of the home directory, even if set, it is used as the location of the home directory, even if

View file

@ -102,7 +102,14 @@ void handleDiffHook(
} }
} }
// We want $HOME to be un-creatable in the sandbox. On Linux,
// you can't create anything inside /proc since it's a virtual filesystem.
// On Darwin it seems that `/homeless-shelter` is good enough.
#if __linux__
const Path LocalDerivationGoal::homeDir = "/proc/homeless-shelter"; const Path LocalDerivationGoal::homeDir = "/proc/homeless-shelter";
#else
const Path LocalDerivationGoal::homeDir = "/homeless-shelter";
#endif
LocalDerivationGoal::~LocalDerivationGoal() LocalDerivationGoal::~LocalDerivationGoal()