diff options
| author | Jude Taylor <me@jude.bio> | 2015-11-17T18·08-0800 |
|---|---|---|
| committer | Jude Taylor <me@jude.bio> | 2015-11-17T18·08-0800 |
| commit | 36f7fcc157de8d4f1b195f0e3cb7e384d4083c2a (patch) | |
| tree | cbbb9c28c18277528b9ed130742e01987a48a76b | |
| parent | bd09a4c96799275d105b5ffe9a6fcb60200deb5f (diff) | |
| parent | 1d3529e93a449622987f259e6449a63fff62a1b2 (diff) | |
Merge pull request #1 from shlevy/sandbox-profiles
Use AutoDelete for sandbox profile file
| -rw-r--r-- | src/libstore/build.cc | 19 | ||||
| -rw-r--r-- | src/libutil/util.cc | 8 | ||||
| -rw-r--r-- | src/libutil/util.hh | 2 |
3 files changed, 24 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 1dee1ca2cd65..6112d528cce5 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -778,9 +778,13 @@ private: DirsInChroot dirsInChroot; typedef map<string, string> Environment; Environment env; +#if SANDBOX_ENABLED typedef string SandboxProfile; SandboxProfile additionalSandboxProfile; + AutoDelete autoDelSandbox; +#endif + /* Hash rewriting. */ HashRewrites rewritesToTmp, rewritesFromTmp; typedef map<Path, Path> RedirectedOutputs; @@ -2445,9 +2449,10 @@ void DerivationGoal::runChild() const char *builder = "invalid"; string sandboxProfile; - if (isBuiltin(*drv)) + if (isBuiltin(*drv)) { ; - else if (useChroot && SANDBOX_ENABLED) { +#if SANDBOX_ENABLED + } else if (useChroot) { /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */ PathSet ancestry; @@ -2527,16 +2532,20 @@ void DerivationGoal::runChild() debug("Generated sandbox profile:"); debug(sandboxProfile); - Path tmpProfile = createTempDir() + "/profile.sb"; - writeFile(tmpProfile, sandboxProfile); + Path sandboxFile = drvPath + ".sb"; + if (pathExists(sandboxFile)) deletePath(sandboxFile); + autoDelSandbox.reset(sandboxFile, false); + + writeFile(sandboxFile, sandboxProfile); builder = "/usr/bin/sandbox-exec"; args.push_back("sandbox-exec"); args.push_back("-f"); - args.push_back(tmpProfile); + args.push_back(sandboxFile); args.push_back("-D"); args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back(drv->builder); +#endif } else { builder = drv->builder.c_str(); string builderBasename = baseNameOf(drv->builder); diff --git a/src/libutil/util.cc b/src/libutil/util.cc index 27116fd18297..75032bf90d0b 100644 --- a/src/libutil/util.cc +++ b/src/libutil/util.cc @@ -599,6 +599,8 @@ string drainFD(int fd) ////////////////////////////////////////////////////////////////////// +AutoDelete::AutoDelete() : del{false} {} + AutoDelete::AutoDelete(const string & p, bool recursive) : path(p) { del = true; @@ -626,6 +628,12 @@ void AutoDelete::cancel() del = false; } +void AutoDelete::reset(const Path & p, bool recursive) { + path = p; + this->recursive = recursive; + del = true; +} + ////////////////////////////////////////////////////////////////////// diff --git a/src/libutil/util.hh b/src/libutil/util.hh index 23d01e9a6ca0..f4026a0a884b 100644 --- a/src/libutil/util.hh +++ b/src/libutil/util.hh @@ -199,9 +199,11 @@ class AutoDelete bool del; bool recursive; public: + AutoDelete(); AutoDelete(const Path & p, bool recursive = true); ~AutoDelete(); void cancel(); + void reset(const Path & p, bool recursive = true); operator Path() const { return path; } }; |