Don't allow sandbox profile except in relaxed mode

This makes Darwin consistent with Linux: Nix expressions can't break
out of the sandbox unless relaxed sandbox mode is enabled.

For the normal sandbox mode this will require fixing #759 however.
This commit is contained in:
Eelco Dolstra 2016-01-04 16:32:16 +01:00
parent 9be037448c
commit 71a93a5f0e

View file

@ -1710,6 +1710,10 @@ void DerivationGoal::startBuilder()
% drv->platform % settings.thisSystem % drvPath); % drv->platform % settings.thisSystem % drvPath);
} }
#if __APPLE__
additionalSandboxProfile = get(drv->env, "__sandboxProfile");
#endif
/* Are we doing a chroot build? Note that fixed-output /* Are we doing a chroot build? Note that fixed-output
derivations are never done in a chroot, mainly so that derivations are never done in a chroot, mainly so that
functions like fetchurl (which needs a proper /etc/resolv.conf) functions like fetchurl (which needs a proper /etc/resolv.conf)
@ -1723,7 +1727,11 @@ void DerivationGoal::startBuilder()
throw Error("option build-use-sandbox must be set to one of true, false or relaxed"); throw Error("option build-use-sandbox must be set to one of true, false or relaxed");
if (x == "true") { if (x == "true") {
if (get(drv->env, "__noChroot") == "1") if (get(drv->env, "__noChroot") == "1")
throw Error(format("derivation %1% has __noChroot set, but that's not allowed when build-use-sandbox is true") % drvPath); throw Error(format("derivation %1% has __noChroot set, "
"but that's not allowed when build-use-sandbox is true") % drvPath);
if (additionalSandboxProfile != "")
throw Error(format("derivation %1% specifies a sandbox profile, "
"but this is only allowed when build-use-sandbox is relaxed") % drvPath);
useChroot = true; useChroot = true;
} }
else if (x == "false") else if (x == "false")
@ -1924,9 +1932,6 @@ void DerivationGoal::startBuilder()
for (auto & i : closure) for (auto & i : closure)
dirsInChroot[i] = i; dirsInChroot[i] = i;
#if __APPLE__
additionalSandboxProfile = get(drv->env, "__sandboxProfile");
#endif
string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES)); string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
PathSet allowedPaths = tokenizeString<StringSet>(allowed); PathSet allowedPaths = tokenizeString<StringSet>(allowed);
@ -1948,7 +1953,7 @@ void DerivationGoal::startBuilder()
} }
} }
if (!found) if (!found)
throw Error(format("derivation '%1%' requested impure path %2%, but it was not in allowed-impure-host-deps (%3%)") % drvPath % i % allowed); throw Error(format("derivation %1% requested impure path %2%, but it was not in allowed-impure-host-deps (%3%)") % drvPath % i % allowed);
dirsInChroot[i] = i; dirsInChroot[i] = i;
} }