Merge pull request #11031 from emilazy/push-xsrvoyspsvqx

libstore: fix sandboxed builds on macOS
This commit is contained in:
Robert Hensing 2024-07-05 17:08:39 +02:00 committed by GitHub
commit a476383f46
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 6 deletions

View file

@ -503,13 +503,23 @@ void LocalDerivationGoal::startBuilder()
/* Create a temporary directory where the build will take /* Create a temporary directory where the build will take
place. */ place. */
tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700); topTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
#if __APPLE__
if (false) {
#else
if (useChroot) { if (useChroot) {
#endif
/* If sandboxing is enabled, put the actual TMPDIR underneath /* If sandboxing is enabled, put the actual TMPDIR underneath
an inaccessible root-owned directory, to prevent outside an inaccessible root-owned directory, to prevent outside
access. */ access.
tmpDir = tmpDir + "/build";
On macOS, we don't use an actual chroot, so this isn't
possible. Any mitigation along these lines would have to be
done directly in the sandbox profile. */
tmpDir = topTmpDir + "/build";
createDir(tmpDir, 0700); createDir(tmpDir, 0700);
} else {
tmpDir = topTmpDir;
} }
chownToBuilder(tmpDir); chownToBuilder(tmpDir);
@ -2980,7 +2990,7 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo
void LocalDerivationGoal::deleteTmpDir(bool force) void LocalDerivationGoal::deleteTmpDir(bool force)
{ {
if (tmpDir != "") { if (topTmpDir != "") {
/* Don't keep temporary directories for builtins because they /* Don't keep temporary directories for builtins because they
might have privileged stuff (like a copy of netrc). */ might have privileged stuff (like a copy of netrc). */
if (settings.keepFailed && !force && !drv->isBuiltin()) { if (settings.keepFailed && !force && !drv->isBuiltin()) {
@ -2988,7 +2998,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
chmod(tmpDir.c_str(), 0755); chmod(tmpDir.c_str(), 0755);
} }
else else
deletePath(tmpDir); deletePath(topTmpDir);
topTmpDir = "";
tmpDir = ""; tmpDir = "";
} }
} }

View file

@ -27,10 +27,16 @@ struct LocalDerivationGoal : public DerivationGoal
std::optional<Path> cgroup; std::optional<Path> cgroup;
/** /**
* The temporary directory. * The temporary directory used for the build.
*/ */
Path tmpDir; Path tmpDir;
/**
* The top-level temporary directory. `tmpDir` is either equal to
* or a child of this directory.
*/
Path topTmpDir;
/** /**
* The path of the temporary directory in the sandbox. * The path of the temporary directory in the sandbox.
*/ */