diff options
| author | Dan Peebles <pumpkin@me.com> | 2017-10-30T16·25+0100 |
|---|---|---|
| committer | Dan Peebles <pumpkin@me.com> | 2017-10-30T16·59+0100 |
| commit | 4a4a009f78d7267d58a1dbd95f70f12ee3fe89f2 (patch) | |
| tree | 4dd7f936847312e08d2082d8ec3f949cff6355f1 /src/libstore/build.cc | |
| parent | 6e5165b77370c76bfa39d4b55e9f83673f3bd466 (diff) | |
Allow optional localhost network access to sandboxed derivations
This will allow bind and connect to 127.0.0.1, which can reduce purity/ security (if you're running a vulnerable service on localhost) but is also needed for a ton of test suites, so I'm leaving it turned off by default but allowing certain derivations to turn it on as needed. It also allows DNS resolution of arbitrary hostnames but I haven't found a way to avoid that. In principle I'd just want to allow resolving localhost but that doesn't seem to be possible. I don't think this belongs under `build-use-sandbox = relaxed` because we want it on Hydra and I don't think it's the end of the world.
Diffstat (limited to 'src/libstore/build.cc')
| -rw-r--r-- | src/libstore/build.cc | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 88c51654614a..9069d9b06e08 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2774,10 +2774,10 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } - sandboxProfile += "(import \"sandbox-defaults.sb\")"; + sandboxProfile += "(import \"sandbox-defaults.sb\")\n"; if (fixedOutput) - sandboxProfile += "(import \"sandbox-network.sb\")"; + sandboxProfile += "(import \"sandbox-network.sb\")\n"; /* Our rwx outputs */ sandboxProfile += "(allow file-read* file-write* process-exec\n"; @@ -2820,7 +2820,7 @@ void DerivationGoal::runChild() sandboxProfile += additionalSandboxProfile; } else - sandboxProfile += "(import \"sandbox-minimal.sb\")"; + sandboxProfile += "(import \"sandbox-minimal.sb\")\n"; debug("Generated sandbox profile:"); debug(sandboxProfile); @@ -2829,6 +2829,8 @@ void DerivationGoal::runChild() writeFile(sandboxFile, sandboxProfile); + bool allowLocalNetworking = get(drv->env, "__darwinAllowLocalNetworking") == "1"; + /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true); @@ -2844,6 +2846,10 @@ void DerivationGoal::runChild() args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back("-D"); args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/"); + if (allowLocalNetworking) { + args.push_back("-D"); + args.push_back(string("_ALLOW_LOCAL_NETWORKING=1")); + } args.push_back(drv->builder); } #endif |