about summary refs log tree commit diff
diff options
context:
space:
mode:
authorShea Levy <shea@shealevy.com>2015-11-15T11·08-0500
committerShea Levy <shea@shealevy.com>2015-11-15T11·08-0500
commit4390142315a0d6ed0f67712061498c68389ea3b7 (patch)
tree48e1620a9bd76e73a978c75419aacc9efe6ef789
parentbd09a4c96799275d105b5ffe9a6fcb60200deb5f (diff)
Use AutoDelete for sandbox profile file
-rw-r--r--src/libstore/build.cc19
1 files changed, 14 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 1dee1ca2cd65..6f662f81daaf 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -778,9 +778,13 @@ private:
     DirsInChroot dirsInChroot;
     typedef map<string, string> Environment;
     Environment env;
+#if SANDBOX_ENABLED
     typedef string SandboxProfile;
     SandboxProfile additionalSandboxProfile;
 
+    AutoDelete autoDelSandbox;
+#endif
+
     /* Hash rewriting. */
     HashRewrites rewritesToTmp, rewritesFromTmp;
     typedef map<Path, Path> RedirectedOutputs;
@@ -2445,9 +2449,10 @@ void DerivationGoal::runChild()
         const char *builder = "invalid";
 
         string sandboxProfile;
-        if (isBuiltin(*drv))
+        if (isBuiltin(*drv)) {
             ;
-        else if (useChroot && SANDBOX_ENABLED) {
+#if SANDBOX_ENABLED
+        } else if (useChroot) {
             /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
             PathSet ancestry;
 
@@ -2527,16 +2532,20 @@ void DerivationGoal::runChild()
             debug("Generated sandbox profile:");
             debug(sandboxProfile);
 
-            Path tmpProfile = createTempDir() + "/profile.sb";
-            writeFile(tmpProfile, sandboxProfile);
+            Path sandboxFile = drvPath + ".sb";
+            if (pathExists(sandboxFile)) deletePath(sandboxFile);
+            autoDelSandbox = AutoDelete(sandboxFile);
+
+            writeFile(sandboxFile, sandboxProfile);
 
             builder = "/usr/bin/sandbox-exec";
             args.push_back("sandbox-exec");
             args.push_back("-f");
-            args.push_back(tmpProfile);
+            args.push_back(sandboxFile);
             args.push_back("-D");
             args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
             args.push_back(drv->builder);
+#endif
         } else {
             builder = drv->builder.c_str();
             string builderBasename = baseNameOf(drv->builder);